How Google helps scammers via Google Sites

0

It seems everyone is using Google’s free services. Its search engine is the most visited website in the world. Over a billion people depend on Gmail for their email. Google Meet offers multi-user remote video conferencing at no cost.

And more and more bad actors are using Google Sites to defraud and scam people every day. Wait what?

Google has a problem. While its free services are great for making online tools more accessible to people around the world, they also provide scammers with an easy way to set up shop. Without having to reveal their identity via credit card or billing address to make a payment, fraudsters can easily weaponize these products to carry out their scams.

Most people are familiar with products like Gmail and Google Meet and know that anyone can use these services. But Google Sites is a much lesser-known service. And the Google Sites service, which allows users to create web pages, provides considerable help to scammers looking to hide behind a veil of trustworthiness: a website under the domain name Google.com.

“At Google Sites, we explicitly prohibit phishing and we invest heavily in detecting, deterring and removing abuse from our platforms,” a Google spokesperson said in a statement provided to Mashable.

Google is aware of the problem. However, scams enabled by Google Sites persist. And they’re not hard to find.

Google has gone phishing

Phishing is a classic online scam tactic in which a bad actor copies web designs from trusted websites, such as a user’s bank, in order to trick the individual into entering their sensitive information so that the scammer can access it. These scammers managed to create these phishing websites on Google Sites.

“I first came across this scam myself while searching Google for ‘Google Ads,'” SEO consultant Matt Tutt told Mashable.

Tutt had already written on his own personal experience come across Google Sites scams in 2020. Like many people, Tutt decided to just Google the website he wanted to visit instead of typing the URL directly into his web browser’s address bar. He clicked on the first link – a Google ad – on the search results page, assuming it would be the official Google Ads website.

“It looked pretty legit, and honestly, I probably let my guard down, because I wouldn’t have imagined that anyone other than Google could run ads for the keyword ‘Google Ads'”, he explained. “I was shown the standard Google Ads home page – or so I thought I was! When I logged in, I noticed the URL was slightly different, and that’s where I was struck: I was not on the official Google Ads place page.”

“Luckily I hadn’t entered my login credentials, but I was struck by how easily I was almost fooled, given that I work as an SEO specialist and have been doing so for over 10 years!” Tutt continued.

If he had entered his password on this fake Google Ads page, he would have sent his credentials directly to a scammer. And while these Google Sites phishing pages could almost fool a research professional like Tutt, chances are the scammers will succeed with less-sophisticated individuals.

The problem is that every page published with Google Sites can be accessed under the “sites.google.com” URL structure. And, from cybersecurity experts to tech-savvy family members, anyone who’s ever tried to educate people on how to avoid phishing scams has always stressed the importance of watching the URL. If it’s not the one you trust, you shouldn’t click or provide any sensitive information on the page. This is a very good trick. But the scammers are constantly evolving. Over the years, they have improved their tactics and weaponized subdomains, like “YourBank.ScammersDomain.com”. In turn, users were specifically instructed to search for the word just before the “.com” domain extension. If he’s unfamiliar to you, you probably shouldn’t trust him.

SEE ALSO:

Scammers target YouTube smart TV activation sites with help from Google

But every user-generated web page published with Google Sites can be accessed through the URL “sites.google.com”. Even a scammer’s phishing website, which may be called “sites.google.com/yourbank”. The main keyword just before the “.com” is Google, right? The mega corporation Big Tech. The largest search engine in the world. The most popular website in the world. If it’s not a trustworthy domain, then nothing could be, right? And that’s why scammers love Google Sites.

Direct-to-consumer scams

The scammer who almost tricked SEO consultant Tutt showed great bravery in targeting those who were probably more tech-savvy than most. But most of these Google Site scammers have their sites set on much easier targets.

I first learned how bad Google Sites scams got when a family member fell victim to them. Looking to activate YouTube on their TV, a Google parent searched for the YouTube TV activation URL instead of entering it directly into the web browser. A Google Sites phishing page appeared on the front page of Google, mimicking the look of an official YouTube site. In my investigation, I saw how well Google ranked a phishing site on the first page for a search query from its own sister company, YouTube. Since Google ranks Google Sites pages high, these phishing pages enjoy a high ranking for many related search terms.

A screenshot showing how well Google Sites phishing scams targeting YouTube users ranked in Google Search from August 2021.
Credit: Mashable screenshot

The site asked the family member to enter the provided code to activate YouTube on their TV. Of course, that didn’t work. The Google site has been set up to make this happen. The scam website then informed my family member that he needed to call a phone number to activate YouTube on his TV. When they called the number they were connected directly to a scammer who was able to scam them out of hundreds of dollars thinking it was a small temporary charge that was only used to confirm activation their YouTube account on their TV.

Since publishing this article last year, I’ve heard of a handful of readers who have fallen for similar scams using Google Sites, like the one that scammed users trying to enable Amazon Prime Video.

In 2020, cybersecurity firm Armorblox published a report on a growing phenomenon: scammers using free Google services like Google Docs, Google Form and, of course, Google Sites.

From American Express to Microsoft Teams to a target’s payroll provider, Armorblox has uncovered a slew of brand impersonation phishing schemes using these free services like Google Sites.

“Although Google…[does] remove many of them, they are slow to respond to emerging attacks, giving the attacker days or even weeks to launch attacks,” said Brian Johnson, Chief Information Security Officer at Armblox, to Mashable “Whac-A-mMole’s game of getting ’em taken down is an endless battle.”

While the free nature of Google Sites and the Google.com domain mantle are significant factors why they attract bad actors, there are also more technical reasons.

“Due to the use of these URLs and domains for multiple legitimate purposes, native email security filters are unlikely to block these inherently trusted links,” Johnson explained.

Plus, says Johnson, when Google successfully takes down a phishing website, the scammer can quickly get everything back up and running.

“They make it so easy to use and launch and create another account again,” he continued. “This allows attackers to continue to launch a steady stream of attacks even when they are knocked out.”

And after? Crypto scams, of course!

Although Google has responded to Google Sites scams and shut down many phishing pages, this hasn’t deterred the scammers. And it might not be so shocking to find out where these bad actors see signs of money next: cryptocurrency.

A new report from cybersecurity firm Netskope has revealed that over the past year, scammers have weaponized Google Sites pages in order to steal users’ crypto wallet and account credentials on platforms such as MetaMask and Coinbase. .

Google Sites MetaMask Scam

Netskope’s report provides a sample Google Sites phishing page in addition to the MetaMask homepage it copied.
Credit: Netskope

These scams work much the same as other Google Sites scams. The scammer creates a page that looks like the MetaMask or Coinbase login page; it offers users the option to provide their username and password or a secret recovery phrase to log in. Of course, once the user enters this information, they do not actually log into their crypto wallet or crypto exchange account. They simply pass their account information to the scammer.

SEE ALSO:

The Biggest Crypto Scams of 2022 (So Far)

An interesting difference noted by Netskope: with crypto-related Google Sites scams, scammers are very proactive. In previous Google Sites phishing schemes, most scammers seemed to sit back and let Google Search provide them with unlimited new targets, either by willfully entering their private information or calling fake support numbers. Netskope’s report revealed that many crypto scam Google Sites pages are actually scammed on blogs and social media posts across the web.

Be on the lookout for that “sites” subdomain before the “Google.com” URL the next time you come across a webpage that appears to be from the most trusted domain name in the world. Maybe he’s just a scammer.

Share.

Comments are closed.