Google’s free webpage maker, Google Sites, is a boon for scammers

It seems everyone uses Google’s free services. Its search engine is the most-trafficked website in the world. Over a billion people depend on Gmail for their email messaging. Google Meet provides multi-user remote video conferencing at absolutely no cost. 

And more and more bad actors are utilizing Google Sites to defraud and scam internet users everyday. Wait…what?

Google has a problem. While its free services are great at making online tools more accessible to people around the globe, they also give scammers an easy way to set up shop. Without having to unveil their identities via credit card or billing address to make a payment, fraudsters can easily weaponize these products to carry out their scams.

Most people are familiar with products like Gmail and Google Meet and know that anyone can use these services. But Google Sites is a much lesser-known service. And the Google Sites service, which allows users to create web pages, provides a huge assist to scammers looking to hide under a veil of trustworthiness: a website under the Google.com domain name.

“On Google Sites, we explicitly prohibit phishing and we invest heavily in detecting, deterring, and removing abuse from our platforms,” said a Google spokesperson in a statement provided to Mashable.

Google is aware of the issue. However, the scams enabled by Google Sites persist. And they are not hard to find.

Google Gone Phishing

Phishing is a classic online scam tactic in which a bad actor copies the web designs of trusted websites, like a user’s bank, in order to trick the individual into inputting their sensitive information so the scammer can access it. These scammers have found success creating these phishing websites on Google Sites.

“I first encountered this scam myself whilst looking on Google for ‘Google Ads,'” SEO consultant Matt Tutt said to Mashable. 

Tutt had previously written about his own personal experience coming across the Google Sites scams in 2020. Like many people, Tutt decided to just Google the website he wanted to visit instead of directly typing the URL in his web browser’s address bar. He clicked the first link — a Google ad — on the search results page, assuming it would be the official Google Ads website.


Tweet may have been deleted
(opens in a new tab)

“It looked fairly legit, and honestly, I probably had my guard down, as I’d not have imagined someone apart from Google could run ads for the keyword ‘Google Ads,'” he explained. “I was presented with the standard Google Ads homepage — or at least I thought I was! When I went to log in, I noticed the URL was slightly different, and that’s when it struck me: I wasn’t on the official Google Ads site.”

“Luckily, I hadn’t entered my login credentials, but it struck me how easily I was nearly fooled, considering I work as an SEO specialist and have done so for over 10 years!” Tutt continued. 

If he had entered his password on that fake Google Ads page, he would have sent his credentials directly to a scammer. And if these Google Sites phishing pages could nearly trick a professional who works in search, like Tutt, there’s a good chance scammers are succeeding with less savvy individuals.

The problem is that every page published with Google Sites is accessible under the URL structure “sites.google.com.” And, from cybersecurity experts to tech-savvy family members, anyone who’s ever tried to educate people on how to avoid phishing scams has always stressed the importance of looking at the URL. If it isn’t one you trust, you shouldn’t click, nor should you provide any sensitive information on the page. It is a very good tip. But scammers are constantly evolving. Over the years, they have upgraded their tactics and have weaponized subdomains, like “YourBank.ScammersDomain.com.” In turn, users have specifically been told to look for the word right before the domain extension “.com.” If it’s unfamiliar to you, you probably shouldn’t trust it.

But every user-generated webpage published with Google Sites is accessible via the “sites.google.com” URL. Even a scammer’s phishing website, which may go by “sites.google.com/yourbank.” The main keyword right before the “.com”  is Google, right? The mega Big Tech corporation. The world’s largest search engine. The most popular website on earth. If that’s not a trustworthy domain, then nothing could be, right? And that’s why scammers love Google Sites. 

Direct-to-Consumer Scams

The scammer that almost fooled SEO consultant Tutt displayed some serious bravado in targeting those who were likely more tech-savvy than most. But most of these Google Site scammers have their sites set on much easier targets.

I first came across just how bad the Google Sites scams had become when a family member fell victim to one. Looking to activate YouTube on their television, a relative Google-searched the YouTube TV activation URL instead of inputting it into the web browser directly. A Google Sites phishing page popped up on the first page of Google, mimicking the look of an official YouTube site. In my investigation, I saw just how high Google was ranking a phishing site on the first page for a search query of their own sister company, YouTube. Because Google ranks Google Sites pages highly, these phishing pages enjoy prime spots for many related search terms.

A screenshot showing how high Google Sites phishing scams targeting YouTube users ranked on Google Search from August 2021.
Credit: Mashable Screenshot

The site instructed the family member to input the provided code to activate YouTube on their television. Of course, it didn’t work. The Google Site was set up for that to happen. The scam website then informed my family member that they needed to call a telephone number to activate YouTube on their TV. When they called the number, they were connected directly to a scammer who was able to scam them out of hundreds of dollars in the belief that these were small, temporary charges that were only used to confirm activation of their YouTube account on their TV set.

Since that piece was published last year, I have heard from a handful of readers who have fallen for similar scams utilizing Google Sites, such as one that scammed users looking to activate Amazon’s Prime Video.

In 2020, the cybersecurity firm Armorblox released a report about a growing phenomenon: Scammers weaponizing free Google services like Google Docs, Google Form, and, of course, Google Sites.

From American Express to Microsoft Teams to a targets’ payroll provider, Armorblox sussed out a slew of various brand impersonation phishing schemes using these free services like Google Sites.

“​​Though Google…[does] remove many of these, they are slow to respond to emerging attacks, leaving the attacker with days, if not weeks, to launch attacks,” Armblox chief information security officer Brian Johnson said to Mashable. “The game of Whac-A-mMole to get these taken down is a neverending battle.”

While the free nature of Google Sites and the cloak of the Google.com domain are huge factors in why they attract bad actors, there are more technical reasons, too.

“Due to these URLs and domains being used for several legitimate purposes, native email security filters are unlikely to block these inherently trustworthy links,” explained Johnson.

Plus, Johnson says, when Google does get around to taking down a phishing website, the scammer can quickly get everything back up and running.

“They make it so easy to use and throw and set up another account again,” he continued. “This allows attackers to keep launching a steady stream of attacks even when they are taken down.”

What’s next? Crypto scams, of course!

While Google has responded to Google Sites scams and shut down many phishing pages, that has not deterred scammers. And it may not be all that shocking to find where these bad actors are seeing money signs next: Cryptocurrency.

A new report from cybersecurity company Netskope found that throughout this past year, scammers are weaponizing Google Sites pages in order to steal people’s crypto wallet and account credentials from platforms like MetaMask and Coinbase. 

The report by Netskope provides an example of a Google Sites phishing page besides the MetaMask homepage it has copied.
Credit: Netskope

These scams work pretty much the same way other Google Sites scams work. The scammer creates a page that looks like the MetaMask or Coinbase login page; it provides users with the option of providing their username and password or secret recovery phrase to log in. Of course, once the user inputs that information, they are not actually logging into their crypto wallet or crypto exchange account. They are simply handing their account information over to the scammer.

One interesting difference noted by Netskope: With the crypto-related Google Sites scams, the scammers are very proactive. In prior Google Sites phishing schemes, most scammers seemed to sit back and let Google Search provide them with unlimited fresh targets, willingly inputting their private information or calling fake support numbers. Netskope’s report found that many crypto scam Google Sites pages are actually being scammed on blogs and social media posts around the web.

Be on the lookout for that “sites” subdomain before the “Google.com” URL the next time you come across a webpage that looks to be from the most trustworthy domain name on earth. It just might be a scammer.