A hacking team reportedly linked to the Russian government has been utilizing a security flaw in a Google service to launch attacks on investigative journalists. The web giant knew about the vulnerability and took some measures to fix it but without disclosing what they were so that they could be subjected to peer-review.

The security bug lies within Google's implementation of a new internet standard it has been trying to promote called Accelerated Mobile Pages (AMP). Google has marketed AMP as a way of optimizing web pages for smartphones. Launched in late 2015, AMP is designed to provide simpler versions of websites that can load faster on the often slower data connections and microprocessors used by mobile devices.

Advertisement:

To further speed things up for smartphone users, Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages Google.com URLs.

Such pre-rendered AMP pages created by Google show the originating domain at the top of the webpage content area. But within a mobile web browser's address bar -- at the very top of the screen -- they nonetheless appear to be from Google’s website. Furthermore, the disclaimer showing where the page actually originates will disappear as the user scrolls down the page, while the Google address will not. This effect can be seen in the video below.

Thanks to heavy promotional efforts by Google, AMP has been widely adopted. But it has also remained controversial within the web publishing industry. Primarily, its critics have raised concerns that AMP pages obfuscate true URLs, limit the interface that sites can present to their readers, and encourage searchers to never leave the Google site.

Advertisement:

“Why would any website turn their entire mobile audience — a majority share of their total audience, for many sites today — over to Google?” well-known blogger and programmer John Gruber wrote shortly after AMP was unveiled.

Other technical-minded critics of AMP have noticed its potential for abuse by junk websites. Since AMP webpages can be accessed via Google addresses, they appear more credible than random domain names or blog hosting sites like WordPress.

In December, tech journalist Kyle Chayka also noted that AMP and Facebook’s competing “Instant Articles” feature allow junk websites that publish nonsense or conspiracy theories to share many of the same visual features as legitimate news sites. “All publishers end up looking more similar than different. That makes separating the real from the fake even harder.”

Advertisement:

“Google AMP is bad news for how the web is built, it's bad news for publishers of credible online content, and it's bad news for consumers of that content,” computer book publisher Scott Gilbertson wrote earlier this year in an essay titled “Kill Google AMP before it KILLS the web.”

Beyond its potential for abuse by dishonest web publishers, Google’s approach to caching AMP webpages and providing Google.com addresses for them is a prime target for cyber-criminals who steal account information using a technique known as phishing. Most computer users have encountered this at some point: Fake security alerts designed to look like messages from legitimate companies, inviting targets to visit plausible-looking websites set up solely for the purpose of capturing passwords.

Advertisement:

Since phishing has become much more common, network administrators have made a habit of telling users never to click on password reset links that go to different domains. Because of the way that Google has implemented AMP, however, Gmail users and people using Google apps for institutional use are now more vulnerable to such attacks. Phishers who use AMP pages can thereby employ official "google.com" web addresses to direct users to malicious sites.

“This is a serious bug in my opinion,” web programmer Ray Etornam wrote to Google, in a report he filed last November on the software development site Github discussing how fake news publishers can use AMP to gain legitimacy. Commenting on the report that Etornam had submitted, another developer named Christian Gloddy repeatedly tried to warn Google about the security implications of its AMP implementation.

“The most common advice to avoid phishing and scams is ‘check the domain in the address bar.’ Not at the text that might be below the address bar,” he wrote in one comment.

Advertisement:

Multiple other developers underscored that warning to Google even as Malte Ubl, the company employee in charge of AMP, pushed back insistently against the criticism. “The Google Search viewer clearly attributes the original domain at the top,” he wrote. “I don't agree that an unsophisticated user could be fooled by this.”

Ubl’s defenses were unpersuasive to the developers he was trying to convince, however.

“I think this issue is going to bite Google when least expected and in a very public and negative way,” John Pettitt, co-founder of a credit card payment system called CyberSource, wrote in the discussion thread.

Advertisement:

* . * . *

While Google was busy defending its AMP implementation, hackers affiliated with the cyber-criminal group sometimes referred to as Fancy Bear, Strontium or APT28 were busy exploiting these very same flaws to try to steal passwords from Gmail users.

Frequently associated with Russian government intelligence operators, Fancy Bear’s hackers had accrued a legendary reputation even before they were alleged to have participated in a series of cyberattacks against organizations affiliated with the Democratic Party last year. According to Microsoft executive vice president Terry Myerson, Fancy Bear was responsible for more viruses utilizing previously unknown vulnerabilities than any other hacking confederation.

Thus far, most of the people known to have been pursued by Fancy Bear through a Google AMP exploit appear to have been journalists who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government.

Advertisement:

One such target was Aric Toler, a researcher and writer for the website Bellingcat who specializes in analyzing Russian media and the country’s relationship with far-right groups within Europe and America. He was also part of a Bellingcat investigative team that uncovered evidence that Russian-backed rebels had mistakenly shot down Malaysia Airlines Flight 17 over Ukraine in 2014, killing all 298 people on board.

A month before critics of Google’s AMP implementation began warning about security vulnerabilities, Fancy Bear was utilizing them to target Toler in two separate fake password-reset messages sent to his personal account. These messages, which Toler provided to Salon, utilized an even more sophisticated form of password theft called “spear-phishing,” which combines standard phishing techniques with specific personal information gleaned about the target via social media and public mailing lists.

On Oct. 12, 2016, Toler received an email supposedly from Google alerting him that he had recently changed his security settings to enable older email programs to access his account. “Please be aware that it is now easier for an attacker to break into your account,” the message warned. It invited him to click on a Google AMP URL redirected to a fake webpage designed to capture his email credentials and transmit them to hackers.

The next day, Toler received a second message claiming to be from Google alerting him that “government-backed attackers may be trying to steal your password.” The malicious email instructed him to “Change password” by clicking on another Google AMP webpage. The second message appears to have been crafted in response to a tweet Toler had published on Oct. 11 in which he reported receiving a legitimate email from Google warning him about “government-backed attackers.”

Advertisement:

These messages were not sent to Toler at random. They were among 14 emails that he received in 2015 and 2016 trying to extract his account information out. Notably, the earlier messages used a less-sophisticated fake link, one created using the URL shortener Bitly that most reasonably web-savvy people would understand not to click. As the hackers grew more desperate to steal Toler’s information, they used progressively better methods.

A screenshot of a forged email from Google that Russian-linked hackers sent to journalist Aric Toler in an attempt to steal his account information.

Despite their improved technique at exploiting the AMP vulnerability, the hackers who targeted Toler got sloppy. They reused a free email account registered to annaablony@mail․com that had been had used in several previous operations, including creating a domain used in a different phishing attack that the cybersecurity firm ThreatConnect had archived in its database of known hacker activities.

“ThreatConnect analyzed the phishing emails Bellingcat received and identified connections to the Russian threat actor known as FANCY BEAR/APT 28/Sofacy,” a company representative told Salon. “These emails attempted to lure their targets by taking them to a fake Google login page where they would enter their credentials. To do this, the attackers leveraged both Google's AMP services and link shortening services to obscure the fact that the page was not a legitimate Google site and to make it look readable if the target was using a mobile phone.”

Advertisement:

* . * . *

Toler and his Bellingcat colleagues did not fall for Fancy Bear’s AMP attacks. But another journalist who writes frequently about Russia, David Satter, was taken in by a similar AMP phishing message sent via the annaablony@mail․com address.

Shortly after Satter was tricked into visiting the fake website and entering his password, a program that was hosting the site logged into his Gmail account and downloaded its entire contents. Within three weeks, as the Canadian website Citizen Lab reported, the perpetrators of the hack began posting Satter’s documents online, and even altering them to make opponents and critics of Russian President Vladimir Putin look bad.

Commenting on Satter’s case in May, John Gruber, the software developer and early AMP skeptic, stressed that even an advanced web user might be fooled by a malicious AMP webpage.

“A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one,” he wrote. “But a URL that really is coming from the google.com domain — that’s the sort of link that even a web developer might think looks legit, especially at a glance.”

While the creator and "tech lead" of Google's AMP project, Malte Ubl, has been publicly dismissive of external web developers criticizing AMP, the company says it has “made a number of changes” to its implementation, although it will not explain what they are. This tight-lipped behavior about its own policies and conduct has made Google notorious in the tech world, even as the company demands transparency from other public actors.

In a statement before this story was published, a Google representative claimed that AMP links are protected by its “Safe Browsing” technology. The company did not specify when it had implemented this protection, however. After this story was published, a Google representative told Salon that the Safe Browsing screening of AMP addresses was implemented in early January of 2017.

Under the system, AMP URLs when created via a webpage are first visited by a Google security scanner which attempts to verify if they have malicious content on them.

"Every AMP page that can be linked to through google.com/amp has at least been 'visited' by Google's system," a company representative told Salon.

On occasions when Google has not pre-screened a webpage, the AMP redirect will display a "redirect notice" which informs the user that he/she is being taken to a different address. The page also offers the users a chance to return to the last site they had visited "If you do not want to visit that page."

While more helpful than simply redirecting, the notice is likely to be unhelpful for computer novices simply just trying to reset their passwords since it's written in web developer jargon and does not explain that clicking the link could potentially be hazardous.

As this article was being researched and Salon contacted Google for comment, Ubl blocked public comments on the Github bug report filed about Google’s AMP implementation.

At press time, Google is still serving AMP webpages listed in search results from the Google.com domain. One such article from a fake news website claimed that Google was itself suppressing evidence about the existence of the imaginary planet Nibiru.

"More things ... will come on Google's side in the future and we are working with browser vendors to eventually get the origin right," Ubl wrote in a February update.

Despite those assurances, however, some people who work with large web media companies are beginning to get nervous.

"We've been supportive of AMP as much as it benefits competition and leverages the open web," Jason Kint, CEO of a web publishing trade association, told Salon. Kint's group, Digital Content Next, counts most U.S.-based television networks, the New York Times, the Washington Post, and many other prominent websites as members.

"This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic," Kint said. "The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better."

This story has been updated to include information about a partial fix to the AMP security issue described in this article.