Google Maps Has a Nasty Scam Link Problem

A new link exploit is targeting Google Maps, hiding potentially malicious sites behind legitimate Google Maps links so you won't see them.

Credit: Google

(Image credit: Google)

This information comes by way of Naked Security, a blog run by British antivirus maker Sophos. Mark Stockley, the post’s author, got a  message from an old Skype contact. Following the link led to a run-of-the-mill Russian website hawking weight-loss pills in English — with a quick pit stop in Google Maps first. The scammer had taken advantage of a little-known flaw in the Google Maps app, which allowed him or her to leverage a legitimate site to spread snake oil.

MORE: How to Protect Your Identity, Personal Data and Property

What to Do

The good news is that avoiding the Maps redirect is as simple as avoiding any other shady link online. Don’t click on unsolicited links, and think very carefully about clicking on links that come from trusted contacts if the situation looks fishy.

A good antivirus program on your computer or phone will prevent you from loading a questionable page, and most web browsers do a good job of blocking anything outright malicious. (There is a difference between a Russian quack selling nostrums and a site that tries to download a keylogger onto your machine, for example.)

The bad news is that Google seems to have known about the flaw since September 2017, and hasn’t done anything to remedy it yet. Perhaps the company doesn’t view it as necessary, since taking full advantage of the exploit requires goo.gl, which shut down officially on April 13 — sort of. Registered Google users can still create goo.gl links, and it’s not hard to imagine a cybercriminal having a few throwaway accounts for just such a purpose. Goo.gl links will continue functioning until Mar. 30, 2019, but Google users may be more or less on their own until then.

How the Exploit Works

By using a goo.gl link after an "https://maps.app" URL, a scammer can redirect an unsuspecting user to any site he or she chooses. The veneer of Google Maps respectability works on two fronts: First, a user who sees the link will assume it’s legitimate, since maps.app is a real Google URL. Second, web browsers may allow users to click on the unsavory links, since it will parse them as part of Google Maps rather than as potentially harmful sites.

And yes, the exploit is really just as simple to use as it sounds. Just try clicking on https://maps.app.goo.gl/?link=https://www.tomsguide.com if you don’t believe me; feel free to insert your favorite URL instead and see how well it works. Now imagine putting that link into a URL shortener, and it’s not hard to see how you could trick a whole lot of unsuspecting users into clicking on it.

As usual, vigilance is the best defense against this kind of vulnerability. Avoid clicking on shady links, keep an antivirus program running, and you shouldn’t have anything to worry about. If nothing else, it helps prove Google’s point about why shutting down goo.gl is a good idea.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Mobile Apps
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
A photo of the Apple Maps app tile displayed on an iPhone screen
Apple Maps may soon get ads, letting businesses pay to boost visibility
How to delete TikTok
TikTok confirms return to Apple and Google app stores — here’s what we know
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps is adding this new feature for millions of drivers to make your ride safer
Google Maps and Apple Maps showing the new name for the Gulf
Apple Maps follows Google Maps in renaming the Gulf of Mexico to Gulf of America
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 11 (#639)
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Gmail logo on iPhone
Gmail just got a huge AI upgrade that will save you a ton of time
Xbox handheld
Xbox handheld reportedly arriving this year, new PC-like console in 2027
Concept image of foldable iPad
Apple reportedly has an 18.8-inch foldable iPad prototype with under-display Face ID
Adam Scott in "Severance," now streaming on Apple TV Plus.
'Severance' season 2 finale runtime just revealed — expect a violent finale