Last month, Google announced that it would be shutting down the goo.gl URL shortening service and replacing it with Firebase Dynamic Links. But before those short links disappear, scammers continue to take full advantage of them with a little help from Google Maps.
Security company Sophos discovered that scammers are using a vulnerability in Google Maps URLs. It's known as an open redirect vulnerability and allows an otherwise safe link to redirect to another page without the user's knowledge. It also bypasses all the safety checks Google performs when creating a new short URL.
What the scammers want to achieve is a short URL that leads directly to their scam site where you'll be bombarded with offers to buy pills, or worse, an attempt will be made to compromise your PC. Linking directly to a scam site will result in Google's automated checks sounding alarm bells and refusing the link, so the scammers need a legitimate middleman. It turns out Google Maps works perfectly because of the open redirect vulnerability.
As an example, this is a legitimate Google Maps URL which has been modified to redirect to example.org: https://maps.app.goo.gl/?link=https%3A%2F%2Fexample.org. The link would pass any URL shortening service tests, but would when clicked load a completely different web page than the intended one.
Modifying the link is easy for the scammers to do and can't easily be detected. The fix is up to Google, who has apparently known about the vulnerability since September last year.