Google’s Phishing Quiz shows why Google AMP (Accelerated Mobile Pages) is a bad idea
Posted by jpluimers on 2019/01/25
This week, Google introduced the [WayBack] Phishing Quiz, a series of questions to see how good you spot phishing emails.
It is a perfect example on why Google AMP is a bad idea: it makes it easier to write phishing mail targeting Google users.
One of the questions is about a password change email seemingly from Google with a link by Google.
The link is really deceptive, as it:
- uses Google AMP (Accelerated Mobile Pages) which are hosted directly through a root path on the Google main domain: the URL starts with https://google.com/amp
- Especially on mobile, Google accelerates a lot of things through Google AMP, so a link on mobile that looks like this might be legit
This will deceive a lot of people as they are trained to look at the main domain to assess authenticity: google.com
That combined with an email domain that also looks being from Google (with so many real word top-level domains, many would not be surprised getting email from no-reply@google.support)
Just look at the below screenshot to see how deceptively this trick is.
Solution
The only solution is for people to learn that URL shorteners are evil: they mangle URLs. Which kinds of defeats both URL shorteners, and Google AMP (which also mangles URLs).
Postscript
Google already stopped with their URL shortener (see for instance [WayBack] Google is shutting down its goo.gl URL shortening service), so I wonder when they will stop with AMP.
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment