A new link exploit is targeting Google Maps, hiding potentially malicious sites behind legitimate Google Maps links so you won't see them.
This information comes by way of Naked Security, a blog run by British antivirus maker Sophos. Mark Stockley, the post’s author, got a message from an old Skype contact. Following the link led to a run-of-the-mill Russian website hawking weight-loss pills in English — with a quick pit stop in Google Maps first. The scammer had taken advantage of a little-known flaw in the Google Maps app, which allowed him or her to leverage a legitimate site to spread snake oil.
What to Do
The good news is that avoiding the Maps redirect is as simple as avoiding any other shady link online. Don’t click on unsolicited links, and think very carefully about clicking on links that come from trusted contacts if the situation looks fishy.
A good antivirus program on your computer or phone will prevent you from loading a questionable page, and most web browsers do a good job of blocking anything outright malicious. (There is a difference between a Russian quack selling nostrums and a site that tries to download a keylogger onto your machine, for example.)
The bad news is that Google seems to have known about the flaw since September 2017, and hasn’t done anything to remedy it yet. Perhaps the company doesn’t view it as necessary, since taking full advantage of the exploit requires goo.gl, which shut down officially on April 13 — sort of. Registered Google users can still create goo.gl links, and it’s not hard to imagine a cybercriminal having a few throwaway accounts for just such a purpose. Goo.gl links will continue functioning until Mar. 30, 2019, but Google users may be more or less on their own until then.
How the Exploit Works
By using a goo.gl link after an "https://maps.app" URL, a scammer can redirect an unsuspecting user to any site he or she chooses. The veneer of Google Maps respectability works on two fronts: First, a user who sees the link will assume it’s legitimate, since maps.app is a real Google URL. Second, web browsers may allow users to click on the unsavory links, since it will parse them as part of Google Maps rather than as potentially harmful sites.
And yes, the exploit is really just as simple to use as it sounds. Just try clicking on https://maps.app.goo.gl/?link=https://www.tomsguide.com if you don’t believe me; feel free to insert your favorite URL instead and see how well it works. Now imagine putting that link into a URL shortener, and it’s not hard to see how you could trick a whole lot of unsuspecting users into clicking on it.
As usual, vigilance is the best defense against this kind of vulnerability. Avoid clicking on shady links, keep an antivirus program running, and you shouldn’t have anything to worry about. If nothing else, it helps prove Google’s point about why shutting down goo.gl is a good idea.