Educause Security Discussion mailing list archives

Re: "Google-Proxy" servers & Phishing Campaigns

From: "Lamagna Jr., Robert" <robert.lamagna () UCONN EDU>
Date: Fri, 3 Jan 2020 13:48:20 +0000

As far as google intercepting clicks and displaying a warning, this happens often via google chrome.

You can test by sending a phishing link to yourself, and open it in chrome to see how its tagged.

I have noticed based on which link I choose the domain to send from  i.e. “employeeportal.net-login.com”
Chrome browser will re-route it and display a warning that it is a known phishing site.
This happens over time as staff are reporting links.

My solution to this is to keep testing the options knowbe4 has available to send from and see which one makes it 
through Chrome.


Robert Lamagna Jr.
Security Awareness Analyst
University of Connecticut
Robert.Lamagna () UConn edu<mailto:Robert.Lamagna () UConn edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Thursday, January 2, 2020 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] "Google-Proxy" servers & Phishing Campaigns

Just to put everything together from the various folks that have responded - and I have also gotten some 
non-authoritative information back from Google.

Some of the possible causes:

  *   Chrome Data Saver proxying the clicks because they are http (not https) links

     *   I've done some quick testing, have not been able to independently verify

  *   Google Link Protection checking the links in the UI (Google SEs thought this was a possibility)

     *   I've also done some quick testing, and not been able to verify independently

  *   Google checking links in messages that have been forwarded (Google SEs thought this was also a possibility)

     *   I've also done some quick testing, and not been able to verify independently

  *   Google intercepting clicks and displaying a warning

     *   Not sure how to test this
I'm going to keep digging, but I did want to thank everybody for their insight.

Frank

On Thu, Jan 2, 2020 at 9:33 AM Frank Barton <bartonf () husson edu<mailto:bartonf () husson edu>> wrote:
Hi folks (and I apologize for the cross posting),

We've run into something interesting, and I'm wondering if anybody has any insight.

We use KnowBe4 as our Phishing/training/testing vendor, and have seen a lot of "clicks" coming from the 
66.102.8.0/24<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2F66.102.8.0%2F24&data=02%7C01%7CRobert.Lamagna%40UCONN.EDU%7C804d7ab729974306df8308d78fcc217b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C637135979210536380&sdata=9HtMXaX7G7DrYi7fqUX8G7Iu1WXhuikkY7Rpa%2BH%2F3Wk%3D&reserved=0>
 subnet. These machines are all identified as 
"Google-Proxy-<IP>.google.com<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgoogle.com&data=02%7C01%7CRobert.Lamagna%40UCONN.EDU%7C804d7ab729974306df8308d78fcc217b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C637135979210546369&sdata=UcGi54mbT3D273ckRDlyKA60q5iARfqBvJd%2BlHkrInU%3D&reserved=0>"

We've reached out to KnowBe4 about this, and the response we got was effectively, "yeah, and?" on the theory that a 
click is a click, no matter where it came from. In some cases, I would believe that the users had clicked, but in 
others I believe the users when they say that they didn't click on the links.

Has anybody else seen this? Does anybody know what might be triggering these requests to the unique URLs? does anybody 
have any insight into what the google-proxy servers are used for?

Over half of the "clicks" are coming from these IP addresses. This feels very much like the proverbial "Once is 
happenstance, twice is coincidence, three [or more] is enemy action", and I don't like things I can't explain.

Thank You
Frank

--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7CRobert.Lamagna%40UCONN.EDU%7C804d7ab729974306df8308d78fcc217b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C637135979210546369&sdata=ghoriJtfVnhJih%2BFVp%2F%2Bnx6uZ5MCKh%2FfVdXgB2bUeYA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

"Google-Proxy" servers & Phishing Campaigns Frank Barton (Jan 02)
- Re: "Google-Proxy" servers & Phishing Campaigns Frank Barton (Jan 02)
  - Re: "Google-Proxy" servers & Phishing Campaigns Lamagna Jr., Robert (Jan 03)
- <Possible follow-ups>
- Re: "Google-Proxy" servers & Phishing Campaigns McLarty, Nick (Jan 02)