Video: GhostTeam malware crops up in Google Play - and it wants your Facebook login.
Scammers are using the Google Maps URL-sharing feature to direct victims not to Maps but any shady website the crooks want.
According to security firm Sophos, scammers are taking advantage of the fact the URL-sharing feature in Google Maps isn't an official product and lacks a mechanism to report scammy links.
That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be used to conceal links to malware or phishing sites, but which also has a simple way for recipients to report scam links.
The scam messages Sophos observed actually used both a goo.gl URL and a Google Maps-shared URL as part of a scheme to redirect victims to a Russian page hosting a diet-pill scam targeting English speakers.
"Between the legitimate Google URL shortener you'd probably trust, and the Russian URL you probably wouldn't, the redirection chain bounces you through another Google URL belonging to Google Maps," writes Sophos researcher Mark Stockley.
See: Google Analytics 101: Executive's guide to measuring business data
Scammers shouldn't be able to use official Google Maps URLs to redirect users to any site they choose but can due to an open redirection vulnerability affecting the maps.app.goo.gl service, according to Stockley.
Another advantage of using the Google Maps URL-sharing feature is that unlike goo.gl, Google doesn't collect analytics on it, and setting up the bogus URLs doesn't require using a Google console.
Instead the attacker can just tack the site they want to the link to redirect victims to at the end of the Maps URL in the link parameter.
Stockley's harmless example is 'https://maps.app.goo.gl/?link=https%3A%2F%2Fexampl...', which takes the user to example.org.
An easy way for Google to prevent its Google Maps URLs from being used in this scam is to ensure that if a URL in the link parameter isn't a link to Google Maps, then it shouldn't be allowed.
Previous and related coverage
Google now blocks uncertified Android devices from using its core apps
Google closes a loophole that allowed uncertified devices to skip its compatibility tests.
Google: Our new .app domain is first to bake in HTTPS to make browsing safer
Developers of games, business and education apps can now claim their own .app name from Google.
Gmail spam mystery: Why have secure accounts started spamming themselves?
Spam appears in users' sent folders even from accounts that haven't been compromised.