Scam sites have been abusing a little-known feature on Google Maps to redirect users to dodgy websites.
This according to security company Sophos, who says a number of shady pages are being peddled to users via obfuscated Maps links.
According to security shop Sophos scammers are using the Maps API as a defacto link-shortening service, hiding their pages as redirects within Maps links.
The reason for this is Google's recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages.
URL shorteners reveal your trip to strip club, dash to disease clinic – researchREAD MORE
"Of course Google doesn’t stand for iffy links," Sophos says, "so spammy Goo.gl URLs are almost as easy to report as they are to create."
Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow.
The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps there's no reporting structure in place to get the scammers shut down and the scammers don't have to use a Google-owned interface or API to do it.
This isn't the first time Google's URL-managers have been found to be open for abuse. In 2016, researchers disclosed that flaws in Goo.gl, among other link-shorteners, could be exploited to track users and harvest personal information. ®