Fancy Bear exploits security flaw in Google’s AMP standard to target journalists

Fancy Bear exploits security flaw in Google’s AMP standard to target journalists

Fancy Bear exploits security flaw in Google's AMP standard to target journalists

Infamous Russian hacker group Fancy Bear recently exploited a flaw in Google’s AMP internet standard to target journalists investigating the Russian government or people affiliated with it.

Google refused to patch a serious vulnerability in AMP that allows hackers to create malicious sites using “” web addresses.

Google’s Accelerated Mobile Pages (AMP) internet standard was recently designed and launched to optimise traditional websites for smartphones and also to ensure that such websites load faster even if data connections are slow.

According to Salon, to ensure quicker loading, ‘Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages URLs.’

While this makes browsing more convenient for smartphone users, security experts have, since AMP’s introduction, warned of a particular vulnerability in the feature that could allow hackers to conduct spear phishing attacks on unsuspecting users.

While hackers had limited chances of success by redirecting users to unknown links earlier, AMP offers them the opportunity to target victims with a huge degree of assured success. Thanks to AMP, hackers can now create malicious websites with domain names, thereby making users believe that the malicious websites are genuine ones.

How could Fancy Bear, a Russian hacker group with a reputation for exploiting vulnerabilities to conduct phishing attacks, let go of this opportunity?

Fancy Bear decided to exploit the AMP vulnerability to target a group of journalists ‘who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government’, said Salon.

Hackers belonging to the group targeted Aric Toler, an investigative journalist, as well as several of his colleagues with fake password-reset messages sent to their personal accounts.They were asked to click on Google AMP URLs to reset their passwords in order to save themselves from hacking attempts. These AMP URLs redirected to fake websites designed to steal credentials from unsuspecting visitors.

While Toler and his colleagues did not fall for the phishing scam, another journalist named David Satter, who also covered topics related to Russia, fell victim to the scam. Once he received a password reset email, he clicked on the accompanying Google AMP URL and was redirected to a website which stole his credentials. Soon afterward, a malicious program logged into his personal account and downloaded all its contents. A number of Satter’s documents were later published online and even altered by hackers to defame Putin’s opponents.

“A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one. But a URL that really is coming from the domain — that’s the sort of link that even a web developer might think looks legit, especially at a glance,” said John Gruber, a software developer.

Despite Fancy Bear successfully exploiting the AMP vulnerability, Google has done little to assure critics and developers that it is serious about fixing the issue. The company says that it is protecting AMP URLs with ‘Safe Browsing’ technology, but the same keeps an eye on multiple login attempts or mass reports and will not stop low-scale phishing scams.

While Google has promised to do more, critics are urging the company to delink AMP from its own interests and to make the platform a facilitator for the Open Web by showing original domain names instead of Google AMP URLs. This way, hackers will not be able to use the Google URL to scam users, and domain owners will also get recognition for the content that they publish.

“This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic. The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better,” said Jason Kint, CEO of a web publishing trade association, to Salon.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]