Educause Security Discussion mailing list archives
"Google-Proxy" servers & Phishing Campaigns
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 2 Jan 2020 09:33:27 -0500
Hi folks (and I apologize for the cross posting), We've run into something interesting, and I'm wondering if anybody has any insight. We use KnowBe4 as our Phishing/training/testing vendor, and have seen a lot of "clicks" coming from the 66.102.8.0/24 subnet. These machines are all identified as "Google-Proxy-<IP>.google.com" We've reached out to KnowBe4 about this, and the response we got was effectively, "yeah, and?" on the theory that a click is a click, no matter where it came from. In some cases, I would believe that the users had clicked, but in others I believe the users when they say that they didn't click on the links. Has anybody else seen this? Does anybody know what might be triggering these requests to the unique URLs? does anybody have any insight into what the google-proxy servers are used for? Over half of the "clicks" are coming from these IP addresses. This feels very much like the proverbial "Once is happenstance, twice is coincidence, three [or more] is enemy action", and I don't like things I can't explain. Thank You Frank -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- "Google-Proxy" servers & Phishing Campaigns Frank Barton (Jan 02)
- Re: "Google-Proxy" servers & Phishing Campaigns Frank Barton (Jan 02)
- Re: "Google-Proxy" servers & Phishing Campaigns Lamagna Jr., Robert (Jan 03)
- <Possible follow-ups>
- Re: "Google-Proxy" servers & Phishing Campaigns McLarty, Nick (Jan 02)
- Re: "Google-Proxy" servers & Phishing Campaigns Frank Barton (Jan 02)