In recent months, scammers have been increasing their exploitation of legitimate online services from major companies. The latest company to have one of its services exploited is Google.
This round of scams takes advantage of Google redirect URLs. It works around an Apple feature designed to protect users from phishing links sent via text messages.
Here’s how you can recognize, avoid, and report these scams.
First, let’s take a look at an example of what a scam text message might look like. This example comes from a campaign that’s currently targeting people who live near major cities, with a fake unpaid parking invoice.
Phishing scam text message exploiting a Google redirect URL. Image: BleepingComputer
This particular example says, “This is a final reminder from City of New York regarding the unpaid parking invoice. A $35 daily overdue fee will be charged if payment is not made today.” Next comes a link beginning with https://google.com/url?q= followed by a phishing site’s address.
Because the URL does indeed go to google.com—a site that Apple has put on a whitelist of trusted sites—the Messages app on iPhone makes this link tappable. This is in spite of the fact that it arrived in an unsolicited text message from a phone number that isn’t in the recipient’s contacts.
If an unsuspecting recipient taps on the link, they’ll be taken to a Google interstitial page that says, “The previous page is sending you to” followed by a link to the phishing scam site. If a user proceeds by tapping on that link, Google will, indeed, send them to the malicious site.
A Google redirect interstitial page that would take victims to a phishing page.
Who exactly is to blame for this failure to protect users: Apple or Google? One could make an argument that both are in the wrong.
Apple could perhaps be forgiven for whitelisting Google.com, in general; this seems fairly reasonable. However, perhaps Apple should exclude the string google.com/url from its whitelist, since these always lead to redirection pages, which may contain dangerous or malicious links. Furthermore, Apple may want to avoid enabling tappable links in all unsolicited messages—regardless of whether they link to a “trusted” site like Google.
Google, for its part, needs to do a better job of assessing potentially dangerous sites, and avoid linking to them. Even several days after BleepingComputer published a report warning about this particular phishing domain, Google still allows users to visit the interstitial page and tap through to what was a known harmful site. (The site currently appears to be offline, as of the time of this writing.)
You should also beware of a variation of this scam that’s quite common. Instead of a tappable link redirecting through a domain that Apple considers to be safe, some scam text messages give users instructions on how to enable the link, or visit the site another way.
Phishing scam text message asking the user to reply and reopen, or copy and paste into Safari.
This particular text message said that I needed to “Please pay for FasTrak Lane” by a certain date “In order to avoid excessive late fees and potential legal action on the bill.” After giving a URL (which used a tricky hyphen in place of a slash, as we reported about previously), the message goes on to say the following:
(Please reply Y, then exit the text message and open it again to activate the link, or copy the link to your Safari browser and open it)
That should be a red flag; it’s an awful lot of hoops to jump through. This is similar to how some Trojan-horse Mac malware tries to get users to go through an elaborate process to open it—rather than simply dragging it to the Applications folder or double-clicking an installer.
If you get a text message that you’re confident is a scam, tap on “Report Junk.” You’ll be asked to confirm; “Report this conversation as junk by sending it to [your carrier] and Apple from your phone number.” Tap the “Delete and Report Junk” button to proceed.
We’ve previously covered tons of similar scams; check out these articles for additional details:
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
