1

I received an email which is classified as "potentially malicious" by my email program (Thunderbird), where links are actually a google URL query with extra parameters:

For example, the displayed text of the link is www.example.com/ but the actual link is https://www.google.com/url?q=http://www.example.com/&sa=D&ust=1535125407413000&usg=AFQjCNFsIVH5f4lBiIzr6njucxAoYFqy5A

I searched everywhere the meaning of those extra tags sa=, ust= and usg= but there is no official reference about it, and for example, the links provided in this answer seem outdated...

Also, I just noticed this is not a search, but an URL query (www.google.com/url?).

Is there something to worry about in this e-mail? Does anyone have an explanation of these URL parameters? How was this link made?

R1W
  • 1,617
  • 3
  • 15
  • 30
PlasmaBinturong
  • 141
  • 1
  • 4

1 Answers1

1

It is not a question of the parameters, but that the URL given in the links text and the real URL of the link point to different domains - which is a common technique in phishing mails.

To cite from Thunderbird’s Scam Detection:

Thunderbird's automatic scam filtering
...
It looks for characteristics in messages that are common in scam messages, for example:
...
Links where the text doesn't match the server name (for example, the text of the message might say "https://secure.example.com" but the link actually goes to "http://phishing.example.com" instead). Phishers do this to fool you into going to their site. Unfortunately some legitimate mailing lists also do this with redirectors for tracking purposes.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Yes I understood that, and then that led me to my question: should I worry about a seemingly harmless google URL? Can this type of URL be used as a phishing one? – PlasmaBinturong Sep 10 '18 at 15:26
  • @PlasmaBinturong: In this specific case the URL is probably no problem since Google makes sure that this can not be used as a simple open redirect. Also, the link text actually describes where it is going correctly. But in general links which look like they are for a trusted domain but actually redirect to another can lead to successful phishing, as can do cases where the link text is for a different domain than the link target. In both cases the user might have trust into the target because the link text or target URL actually look familiar. – Steffen Ullrich Sep 10 '18 at 15:56