This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

googleapis.com links used in unsollicited mails

Posted on 10-26-2023 06:44 AM
pauldetroch
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

Criminals are more and more using googleapis.com links to redirect victims to their malicious website and track their victims.

A html file with the following content is often used:
<script>
var tarcking_param = window.location.href.split('#')[1];
var srv_ip = "[redacted]";
if(!tarcking_param){
alert("please set tracking params!");
}else{
document.location.href = 'http://'+srv_ip+'/t/'+tarcking_param;
}
</script> 

If a user is using https://support.google.com/code/contact/cloud_platform_report?hl=en to report the googleapis.com links, apparently no action is taken to remove the malicious content.

Any suggestions on how to stop these criminals?

2 4 1,592
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
KirTitievsky
Staff
Reply posted on --/--/---- --:-- AM

Paul, would you please start by reporting the details of what you saw here: https://support.google.com/code/contact/cloud_platform_report?hl=en

Posted on --/--/---- --:-- AM
pauldetroch
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I already did, but I noticed that content remains active for weeks after a report has been sent. These criminals can make a lot of victims in that period.

Posted on --/--/---- --:-- AM
KirTitievsky
Staff
In response to pauldetroch
Reply posted on --/--/---- --:-- AM

I'm re-reading your original post and failing to see how this would be abused. Sorry.  Would you help me understand?

From the snippet, it seems like malicious content would have to be served from a url like storage.googeapis.com.  In fact, I think that would be the only googleapis.com domain from which you could serve something directly. And that would be a static file.  If so, this usage pattern -- serving static content from Cloud Storage  -- is widely used for reasonable purposes.  Meaning, the issue seems to be that someone is using Google Storage to distribute malicious static content, not that a specific domain is used. The domain, based on what you say, matters only in that abuse reports that point to that domain appear not to get the attention.  Is that what you are seeing? 

Posted on --/--/---- --:-- AM
pauldetroch
Bronze 1
Bronze 1
In response to KirTitievsky
Reply posted on --/--/---- --:-- AM
Hello,

And how can you and me stop the criminals putting html files with this
reload script on storage.googleapis.com?

That is the issue which should be solved.

Thanks,

Paul
Top Labels in this Space
Top Solution Authors
View all