By Jessica Ellis | October 28, 2020
Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads’ tracking system to evade email filters.
How it works
Piggybacking on a domain is appealing to threat actors not only because it increases the odds of making it past spam filters, but also for ease of creation. By editing an existing URL, the burden of setting up their own redirect is removed, and they are able to take advantage of infrastructure already in place to launch their campaign.
URL tracking systems use parameters to pass through various pieces of information for managing advertising campaigns. One of these parameters is typically the final URL that the ad service should redirect users to after they have clicked on the tracking link. For Google Ads, this is the adurl parameter.
By replacing adurl value with a phishing link, threat actors can easily subvert a legitimate Google Ads tracking URL and use it in attacks.
To demonstrate this, we took a Google Ad tracking URL, and modified the adurl value to our website:
In addition to googleadservices.com, a few other well-known domains abused using this tactic include:
Usage in a Real Attack
The example below shows how this technique was used in a recently-observed attack. In this attack, the threat actor sends the victim a message falsely indicating that an unauthorized party has accessed their PayPal account.
The victim is prompted to click Account Verification to access what they believe is an authentic PayPal login page.
Instead, the threat actor has turned the legitimate Google advertising URL into a malicious redirect by placing their intended destination at the end of the URL. The redirect leads the victim to a fake PayPal login page where the victim is to enter their account credentials.
The highlighted section above is the malicious destination.
Why this Method is a Favorite Among Criminals
The threat actor benefits from using this style of attack multiple ways. First, they no longer have to set up their own redirect infrastructure. Instead, they can take advantage of the redirect infrastructure already created by tracking URL systems.
Secondly, the domains they are sending are more trusted and less likely to be blocked by spam filters before reaching a user inbox.
Lastly, these tracking URLs expire after a certain amount of time. Once that happens, clicking the link results in a 404 response instead of redirecting to the phishing site. This can help limit exposure and reduce the risk that the phishing attack would be detected after the fact, leaving victims unable to report the malicious content.
This is not the first time the URL tracking system used by Google Ads has been abused to enable phishing attacks. Threat actors have exploited Google Ads infrastructure in the past, even using the advertisements themselves to distribute phishing content. The reemergence of this particular attack method using Google adurls suggests these types of campaigns are effective as well as undemanding of the criminal. PhishLabs is continuing to monitor this tactic as it evolves.