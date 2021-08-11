



The GreatHorn Intelligence Team confirmed that between the first quarter of 2021 and the second quarter of 2021, phishing attacks using Google’s open redirects using Google Meet and Google DoubleClick increased by 84%. Open redirects can be used on these platforms to prevent threat attackers from detecting most emails. Security solution. Make sure your email reaches your inbox and appears as a trusted link. These attacks are primarily focused on users being victims of credential collection, payment fraud, and automatic malware downloads.

What is an open redirect?

An open redirect occurs when the real domain allows the user to enter data and determine the destination URL, and redirects the user who clicks the link to any destination URL.

Why are open redirects dangerous for users?

Most email security solutions cannot identify misuse of open redirects when analyzing URLs in real time. If that particular full URL is not identified as a known bad, those links will pass through your email security solution and reach your inbox. Attackers use real trusted domains, such as Google, that allow open redirects to more effectively trick users into clicking links and making them victims of attacks.

GoogleDoubleClick

Google DoubleClick is an advertising technology that provides marketers with in-depth analysis and insights to better serve ads based on user behavior. DoubleClick is known to have maintained this security vulnerability dating back to 2008 after its acquisition by Google. Since then, the vulnerabilities introduced by open redirects and this type of access have not been addressed. In 2014, doubleclick.net was also used to identify known malvertising campaigns.

The structure of open redirects within phishing campaigns identified by the GreatHorn threat intelligence team is all similar, with attackers adding ad URLs (shown as adurl =) to users on destination sites that appear as legitimate sites. Redirects. However, it is actually malicious. Note that the attacker does not need a DoubleClick account to develop redirects. Instead, anyone can change the DoubleClick URL to change the redirect.

http://googleads.g.doubleclick.net/pcs/click?adurl=https%3A%2F%2Ftm74k.codesandbox.io/YnJlbnQucmFnc2RhbGVAY2hpY2stZmlsLWEuY29t&c=R,6,65f05392-f8de-4117-b270-51af0e

From the first quarter of 2021 to the second quarter of 2021, Google’s use of DoubleClick platform to send malicious links increased by 141%.

Google Meet

Google Meet Phone Conferencing is a widely used and recognized service that is commonly used and included in Google Workspace subscriptions. In fact, during the COVID-19 pandemic, Google reported over 100 million Meet conference attendees daily. Also, for widespread use and trust associated with the number one brand on the market, leveraging the option of applying open redirects has become a common practice by threat actors. From the first quarter of 2021 to the second quarter of 2021, the use of the Google Meet platform to send malicious links increased by 57%.

The structure of open redirects within phishing campaigns identified by the GreatHorn threat intelligence team is all similar, with attackers adding link redirects (shown as linkredirect?) To browser the destination sites that users need to visit. Notify to. Unfortunately, using the meet.google.com / domain looks like a legitimate site, but the destination site found after the URL parameter dest = is malicious.

https://meet.google.com/linkredirect?authuser=0&dest=https%3A%2F%2Fglowforge.chargebee.com%2Fsubscriptions%2F31441895%2Fdetails

Phishing emails using Google Doubleclick and Google Meet:

These emails don’t pretend to be Google itself, but instead use the Microsoft brand, but the success of these campaigns is based on the trust of Google’s domain agencies themselves. Therefore, instead of most email security platforms, analyze redirects to look only at root domains that bypass traditional email security, which normally blocks malicious sites.

All links embedded in the email lead to similar destination URLs where user credentials are collected, and some destination sites also deploy automatic malware downloads.

GreatHorn is a security team that analyzes both domain privileges and destination sites by a security team to protect users and organizations from attackers using Google DoubleClick and Google Meet, and users are victims of open redirect attacks. It is advisable to understand how to prevent it. Find out more about how to protect users and your organization from open redirects.

