Widely-used URL tracking systems are often abused in phishing attacks. The domains used by these systems are commonly known and trusted, making them attractive carriers for phishing URLs. To illustrate how it works, this post breaks down a recently-observed phishing attack that uses Google Ads’ tracking system to evade email filters.
How it works
Piggybacking on a domain is appealing to threat actors not only because it increases the odds of making it past spam filters, but also for ease of creation. By editing an existing URL, the burden of setting up their own redirect is removed, and they are able to take advantage of infrastructure already in place to launch their campaign.