My sister got Covid for Christmas. A few days after getting tested, she received this text:
She receives a lot of spam and phishing texts. So, understandably, she was trepidatious: is this legitimate? Did I sign up for this?
Here's what the URL looks like (with a fake secret):
https://us-ca.en.express/v?c=MqWLciTcHgMlK1o5
The simple rules I've taught my family to counter phishing:
- If you can, avoid following unsolicited links that are texted to you. Find another way to perform the function you're being prompted to perform.
- If you must follow a link, always verify the domain actually belongs to who you think it does before clicking it.
#2 is often complicated by short URLs, like we have here.
Visiting https://us-ca.en.express redirects one to this page:
So this appears to be a link from a Google service. en.express pulls up this page:
On this page, there's a link to a g.co URL, which is in turn a link to the same page above on Google.
Of course, anyone can redirect their base domain to Google. Or have a link that says "About this totally legit page" that links to Apple.
We can't trust this domain to tell us it's from Google. Instead, we need Google – at google.com – to tell us this domain is from them.
Sometimes, you can Google a domain to verify its owner. Unfortunately, that trick doesn't work for this Google domain:
One way to solve all this: Both us-ca.en.express and en.express should have links to a page on google.com that explicitly mention these domains belong to Google. That would mean a quick investigation or Google search would confirm ownership.
Still, it feels like something critical is missing for short URLs. We should use DNS or CAs to surface sibling or parent domains as a first-class concept in the browser. In that world, Google could list en.express as a child domain of google.com, making ownership easy to verify with a new browser feature.