It seems everyone uses Google's free services. Its search engine is Rebecca Love - Bewitched Housewives (2007)the most-trafficked website in the world. Over a billion people depend on Gmail for their email messaging. Google Meet provides multi-user remote video conferencing at absolutely no cost.
And more and more bad actors are utilizing Google Sites to defraud and scam internet users everyday. Wait…what?
Google has a problem. While its free services are great at making online tools more accessible to people around the globe, they also give scammers an easy way to set up shop. Without having to unveil their identities via credit card or billing address to make a payment, fraudsters can easily weaponize these products to carry out their scams.
Most people are familiar with products like Gmail and Google Meet and know that anyone can use these services. But Google Sites is a much lesser-known service. And the Google Sites service, which allows users to create web pages, provides a huge assist to scammers looking to hide under a veil of trustworthiness: a website under the Google.com domain name.
"On Google Sites, we explicitly prohibit phishing and we invest heavily in detecting, deterring, and removing abuse from our platforms,” said a Google spokesperson in a statement provided to Mashable.
Google is aware of the issue. However, the scams enabled by Google Sites persist. And they are not hard to find.
Phishing is a classic online scam tactic in which a bad actor copies the web designs of trusted websites, like a user's bank, in order to trick the individual into inputting their sensitive information so the scammer can access it. These scammers have found success creating these phishing websites on Google Sites.
"I first encountered this scam myself whilst looking on Google for 'Google Ads,'" SEO consultant Matt Tutt said to Mashable.
Tutt had previously written about his own personal experiencecoming across the Google Sites scams in 2020. Like many people, Tutt decided to just Google the website he wanted to visit instead of directly typing the URL in his web browser's address bar. He clicked the first link — a Google ad — on the search results page, assuming it would be the official Google Ads website.
This Tweet is currently unavailable. It might be loading or has been removed.
"It looked fairly legit, and honestly, I probably had my guard down, as I'd not have imagined someone apart from Google could run ads for the keyword 'Google Ads,'" he explained. "I was presented with the standard Google Ads homepage — or at least I thought I was! When I went to log in, I noticed the URL was slightly different, and that's when it struck me: I wasn't on the official Google Ads site."
"Luckily, I hadn't entered my login credentials, but it struck me how easily I was nearly fooled, considering I work as an SEO specialist and have done so for over 10 years!" Tutt continued.
If he had entered his password on that fake Google Ads page, he would have sent his credentials directly to a scammer. And if these Google Sites phishing pages could nearly trick a professional who works in search, like Tutt, there's a good chance scammers are succeeding with less savvy individuals.
The problem is that every page published with Google Sites is accessible under the URL structure "sites.google.com." And, from cybersecurity experts to tech-savvy family members, anyone who's ever tried to educate people on how to avoid phishing scams has always stressed the importance of looking at the URL. If it isn't one you trust, you shouldn't click, nor should you provide any sensitive information on the page. It is a very good tip. But scammers are constantly evolving. Over the years, they have upgraded their tactics and have weaponized subdomains, like "YourBank.ScammersDomain.com." In turn, users have specifically been told to look for the word right before the domain extension ".com." If it's unfamiliar to you, you probably shouldn't trust it.
But every user-generated webpage published with Google Sites is accessible via the "sites.google.com" URL. Even a scammer's phishing website, which may go by "sites.google.com/yourbank." The main keyword right before the ".com" is Google, right? The mega Big Tech corporation. The world's largest search engine. The most popular website on earth. If that's not a trustworthy domain, then nothing could be, right? And that's why scammers love Google Sites.
The scammer that almost fooled SEO consultant Tutt displayed some serious bravado in targeting those who were likely more tech-savvy than most. But most of these Google Site scammers have their sites set on much easier targets.
I first came across just how bad the Google Sites scams had become when a family member fell victim to one. Looking to activate YouTube on their television, a relative Google-searched the YouTube TV activation URL instead of inputting it into the web browser directly. A Google Sites phishing page popped up on the first page of Google, mimicking the look of an official YouTube site. In my investigation, I saw just how high Google was ranking a phishing site on the first page for a search query of their own sister company, YouTube. Because Google ranks Google Sites pages highly, these phishing pages enjoy prime spots for many related search terms.
A screenshot showing how high Google Sites phishing scams targeting YouTube users ranked on Google Search from August 2021. Credit: Mashable Screenshot The site instructed the family member to input the provided code to activate YouTube on their television. Of course, it didn't work. The Google Site was set up for that to happen. The scam website then informed my family member that they needed to call a telephone number to activate YouTube on their TV. When they called the number, they were connected directly to a scammer who was able to scam them out of hundreds of dollars in the belief that these were small, temporary charges that were only used to confirm activation of their YouTube account on their TV set.
Since that piece was published last year, I have heard from a handful of readers who have fallen for similar scams utilizing Google Sites, such as one that scammed users looking to activate Amazon's Prime Video.
In 2020, the cybersecurity firm Armorblox releaseda report about a growing phenomenon: Scammers weaponizing free Google services like Google Docs, Google Form, and, of course, Google Sites.
From American Express to Microsoft Teams to a targets' payroll provider, Armorblox sussed out a slew of various brand impersonation phishing schemes using these free services like Google Sites.
"Though Google…[does] remove many of these, they are slow to respond to emerging attacks, leaving the attacker with days, if not weeks, to launch attacks," Armblox chief information security officer Brian Johnson said to Mashable. "The game of Whac-A-mMole to get these taken down is a neverending battle."
While the free nature of Google Sites and the cloak of the Google.com domain are huge factors in why they attract bad actors, there are more technical reasons, too.
"Due to these URLs and domains being used for several legitimate purposes, native email security filters are unlikely to block these inherently trustworthy links," explained Johnson.
Plus, Johnson says, when Google does get around to taking down a phishing website, the scammer can quickly get everything back up and running.
"They make it so easy to use and throw and set up another account again," he continued. "This allows attackers to keep launching a steady stream of attacks even when they are taken down."
While Google has responded to Google Sites scams and shut down many phishing pages, that has not deterred scammers. And it may not be all that shocking to find where these bad actors are seeing money signs next: Cryptocurrency.
A new report from cybersecurity company Netskope found that throughout this past year, scammers are weaponizing Google Sites pages in order to steal people's crypto wallet and account credentials from platforms like MetaMask and Coinbase.
The report by Netskope provides an example of a Google Sites phishing page besides the MetaMask homepage it has copied. Credit: Netskope These scams work pretty much the same way other Google Sites scams work. The scammer creates a page that looks like the MetaMask or Coinbase login page; it provides users with the option of providing their username and password or secret recovery phrase to log in. Of course, once the user inputs that information, they are not actually logging into their crypto wallet or crypto exchange account. They are simply handing their account information over to the scammer.
SEE ALSO: The biggest crypto scams of 2022 (so far)One interesting difference noted by Netskope: With the crypto-related Google Sites scams, the scammers are very proactive. In prior Google Sites phishing schemes, most scammers seemed to sit back and let Google Search provide them with unlimited fresh targets, willingly inputting their private information or calling fake support numbers. Netskope's report found that many crypto scam Google Sites pages are actually being scammed on blogs and social media posts around the web.
Be on the lookout for that "sites" subdomain before the "Google.com" URL the next time you come across a webpage that looks to be from the most trustworthy domain name on earth. It just might be a scammer.
Topics Cybersecurity Google
Previous:Against Fear
Get the official Atari 7800+ Console for 50% off
Periwinkle, the Color of Poison, Modernism, and Dusk by Katy Kelleher
Best smartphone deal: Get the Samsung Galazy Z Fold 5 for $300 off
Listening for Ms. Lucille by Aracelis Girmay
8 Years Later: Does the GeForce GTX 580 Still Have Game in 2018?
The Art of Distance No. 18 by The Paris Review
What Our Contributors Are Reading This Summer by The Paris Review
Best music deal: Get a free 3
Best robot vacuum deal: Eufy Omni C20 robot vacuum and mop $300 off at Amazon
The Pain of the KKK Joke by Hope Wabuke
Nvidia DLSS: An Early Investigation
Kim Kardashian's once
Best FitBit deal: FitBit Sense 2 for $100 off
Masks at Twilight by The Paris Review
Why Building a Gaming PC Right Now is a Bad Idea, Part 3: Bad Timing
Manduka sale: Save on yoga essentials today at Amazon
Redux: A Aries, T Taurus, G Gemini by The Paris Review
Best free online courses from Harvard University
Amazon Spring Sale 2025: Best LG OLED TV deal
A Little Fellow with a Big Head by Margaret Jull Costa
India gives legal human status to two of its oldest riversFinally, there's a reason to play 'Diablo III' on consoles againThink your groceries are expensive? Japan has $27,000 melons.Does AppleCare care about the electronics travel ban? Maybe!'Shots Fired' is the most vital show on TV right nowFunny or Die takes on the absurdity of rape kit testing in '80s spoofThis mum's wellThis 'Time' cover will give you a reality check about Trump's AmericaInstagram will soon censor sensitive content in your feedSister, SisterMillennials can't shut up about sex, blame the internetConfused? Here's how to get your laptop to your destinationYouTube really wants you to watch this stopThis startup wants to send electric planes from London to Paris within 10 yearsBoiled eggsEarliest dinosaurs may have originally come from Britain, new study saysIndia gives legal human status to two of its oldest riversJoe Biden met a puppy named Biden and for a moment, the entire world stoppedKoalas don't like water but they're being 'driven to drink' by climate changeYouTube really wants you to watch this stop NYT Connections hints and answers for May 17: Tips to solve 'Connections' #706. Chelsea vs. Manchester United 2025 livestream: Watch Women's FA Cup final for free Building a Small Form Factor Gaming System with the Silverstone Sugo SG10 and Haswell Hardware 'The Last of Us' Season 2, episode 6: The moth symbol, explained As Trump enables crypto corruption, Meta wants back in the stablecoin space Windows 8.1: Six Things Microsoft Got Right and Others That Are Still Missing Leinster vs. Glasgow Warriors 2025 livestream: Watch United Rugby Championship for free Best headphones deal: Save 42% on the Sony WH Why I Left Facebook After 7 Years, But Was Forced Back In Best Sony earbuds deal: Over $100 off Sony XM5 earbuds 8 Free to Play Games That Are Too Good to Be True How to unblock Pornhub for free in Montana Interview: 2Dawn Games on its upcoming shooter 'Ravaged' and life as an indie studio Interview with Malwarebytes' founder, Marcin Kleczynski Xbox One vs. PS4: How They Stack Up Today Best Fire Stick deal: Save $15 on Amazon Fire Stick HD Best Garmin deal: Save $100 on Garmin Venu 3S Anker SOLIX C1000 Power Station deal: Get $350 off AI job interviewers are going viral on TikTok How to unblock xHamster for free
2.1179s , 10182.1484375 kb
Copyright © 2025 Powered by 【Rebecca Love - Bewitched Housewives (2007)】,Evergreen Information Network