Google is very quick to pillory others if they are not too specific about security. However, they have not been able to get their redirect services under control themselves for many years. So again and again e-mails end up in the mailboxes with links to www.google.de, but when clicking the user lands on well-made phishing pages.
Phishing to perfection
Current phishing campaigns are once again directed against Amazon sellers. There are tons of emails with subjects like “You have had a comment and negative feedback” and a complaint like “What about my package?”. If you then move your mouse over “Check the order status”, you will see a URL with “www.google.de”. The subsequent click lands on a well-made Amazon login page, the URL of which begins with “https://sellercentral.amazon”.
If you take a closer look, you can see that it is a phishing site. If you are in a hurry, but still want to take care of dissatisfied customers quickly, you might overlook the telltale domain ending (in this case “.ind0162.theworkpc.com”) and deliver your access data to the phisher free of charge.
Evil – with the others
If a page like the one from Google here performs an automatic redirect and third parties can specify any external page as a target, this is called an open redirect; the OWASP lists this in its Common Weakness Enumeration as CWE-601. Anyone who tolerates such a thing on his server and does not remove it even after repeated warnings risks ending up on black lists of sites to be blocked. Especially if this open redirect is used continuously to conduct phishing. In case of doubt, Google would be at the forefront with its Safe Browsing project.
However, other rules apparently apply to Google itself: Google has been operating Open Redirects for years, phishers have abused it for years and it has been publicly denounced for years; most recently on heise Security in January Phishing: Dangerous Google links. So even if this is no longer news, we will continue to report it – monthly if necessary.