Google AMP links are used for phishing

The AMP pages powered by Google are increasingly used for the good loading experience they generate on mobile phones. In a previous article, I commented that when they are accessed from Google, they are loaded from their cache, making them even faster.

This is what cyber criminals are taking advantage of with phishing attacks that camouflage fake urls with AMP links. In the following image they published on motherboard.vice.com you can see an example:

Fake email with AMP link

The message pretends to be sent by Google and invites you to change the account password for an alleged hack, the link begins with https://www.google.com so at first glance it seems safe but when you click on it you end up in a phishing page.

AMP format: https://www.google.com.uy/amp/pagina-de-phishing.com

The format they use is that of AMP pages that are loaded from Google results and allow to redirect to the destination URL (which can be a malicious URL) or to directly display AMP content that in fact could also be content malicious.

AMP URL that is loaded when accessing from Google

It is a fairly simple attack to carry out and can deceive many people since the false link at first glance seems reliable. This technique also allows them to more effectively circumvent some spam filters.

It is one more reason to use the double authentication factor whenever possible, since if we ever fall into phishing without realizing it, at least they will not be able to access it even if they steal our password.