Google Maps Has a Nasty Scam Link Problem

A new link exploit is targeting Google Maps, hiding potentially malicious sites behind legitimate Google Maps links so you won't see them.

Credit: Google

(Image credit: Google)

This information comes by way of Naked Security, a blog run by British antivirus maker Sophos. Mark Stockley, the post’s author, got a  message from an old Skype contact. Following the link led to a run-of-the-mill Russian website hawking weight-loss pills in English — with a quick pit stop in Google Maps first. The scammer had taken advantage of a little-known flaw in the Google Maps app, which allowed him or her to leverage a legitimate site to spread snake oil.

MORE: How to Protect Your Identity, Personal Data and Property

What to Do

The good news is that avoiding the Maps redirect is as simple as avoiding any other shady link online. Don’t click on unsolicited links, and think very carefully about clicking on links that come from trusted contacts if the situation looks fishy.

A good antivirus program on your computer or phone will prevent you from loading a questionable page, and most web browsers do a good job of blocking anything outright malicious. (There is a difference between a Russian quack selling nostrums and a site that tries to download a keylogger onto your machine, for example.)

The bad news is that Google seems to have known about the flaw since September 2017, and hasn’t done anything to remedy it yet. Perhaps the company doesn’t view it as necessary, since taking full advantage of the exploit requires goo.gl, which shut down officially on April 13 — sort of. Registered Google users can still create goo.gl links, and it’s not hard to imagine a cybercriminal having a few throwaway accounts for just such a purpose. Goo.gl links will continue functioning until Mar. 30, 2019, but Google users may be more or less on their own until then.

How the Exploit Works

By using a goo.gl link after an "https://maps.app" URL, a scammer can redirect an unsuspecting user to any site he or she chooses. The veneer of Google Maps respectability works on two fronts: First, a user who sees the link will assume it’s legitimate, since maps.app is a real Google URL. Second, web browsers may allow users to click on the unsavory links, since it will parse them as part of Google Maps rather than as potentially harmful sites.

And yes, the exploit is really just as simple to use as it sounds. Just try clicking on https://maps.app.goo.gl/?link=https://www.tomsguide.com if you don’t believe me; feel free to insert your favorite URL instead and see how well it works. Now imagine putting that link into a URL shortener, and it’s not hard to see how you could trick a whole lot of unsuspecting users into clicking on it.

As usual, vigilance is the best defense against this kind of vulnerability. Avoid clicking on shady links, keep an antivirus program running, and you shouldn’t have anything to worry about. If nothing else, it helps prove Google’s point about why shutting down goo.gl is a good idea.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Mobile Apps
Google wallet app on screen
Google Wallet now lets kids to make supervised contactless payments and use digital passes — what you need to know
How to tour the Super Bowl stadium virtually with Google Maps
Google Maps glitch is purging Timeline data — what we know
Gboard app logo on mobile phone resting on a keyboard
Google Gboard redesign has already angered users — and I can see why
Waze app on iPhone in car
Forget Google Maps — Waze just got a huge upgrade that will help millions of drivers
A photo of the Apple Maps app tile displayed on an iPhone screen
Apple Maps may soon get ads, letting businesses pay to boost visibility
How to delete TikTok
TikTok confirms return to Apple and Google app stores — here’s what we know
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones