Video: GhostTeam malware crops up in Google Play - and it wants your Facebook login.
Scammers are using the Google Maps URL-sharing feature to direct victims not to Maps but any shady website the crooks want.
According to security firm Sophos, scammers are taking advantage of the fact the URL-sharing feature in Google Maps isn't an official product and lacks a mechanism to report scammy links.
That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be used to conceal links to malware or phishing sites, but which also has a simple way for recipients to report scam links.
The scam messages Sophos observed actually used both a goo.gl URL and a Google Maps-shared URL as part of a scheme to redirect victims to a Russian page hosting a diet-pill scam targeting English speakers.
"Between the legitimate Google URL shortener you'd probably trust, and the Russian URL you probably wouldn't, the redirection chain bounces you through another Google URL belonging to Google Maps," writes Sophos researcher Mark Stockley.
Scammers shouldn't be able to use official Google Maps URLs to redirect users to any site they choose but can due to an open redirection vulnerability affecting the maps.app.goo.gl service, according to Stockley.
Another advantage of using the Google Maps URL-sharing feature is that unlike goo.gl, Google doesn't collect analytics on it, and setting up the bogus URLs doesn't require using a Google console.
Instead the attacker can just tack the site they want to the link to redirect victims to at the end of the Maps URL in the link parameter.
Stockley's harmless example is 'https://maps.app.goo.gl/?link=https%3A%2F%2Fexampl...', which takes the user to example.org.
An easy way for Google to prevent its Google Maps URLs from being used in this scam is to ensure that if a URL in the link parameter isn't a link to Google Maps, then it shouldn't be allowed.
Previous and related coverage
Google closes a loophole that allowed uncertified devices to skip its compatibility tests.
Developers of games, business and education apps can now claim their own .app name from Google.
Spam appears in users' sent folders even from accounts that haven't been compromised.