If you find our resources valuable, please support us by making a small donation. Thank you!

x

How Google is Used As a Weapon

How Google Is Used As a Weapon Against You

During our two years exposing Internet scams and threats we have developed a real appreciation for the creativity, skill, and resourcefulness of the criminals who target citizens of the world.  We’ve watched their tactics evolve as they develop new malicious  tricks making it harder for the average Joe to recognize a threat when it is staring him in the face.  Their latest tactic is meant to appear to use Google as a means to deliver a malicious payloads.
This email appears to have been sent by a graphic designer from the legitimate domain adamwebster.me without a subject line.  It also appears to be forwarded from another email.  The only contents worthy of attention is a link that points to Google.com.

TS1-Google Link

If you look carefully at the red hyperlink to Google notice a second http in the code, followed by %3A%2F%2F and more.  These characters are a form of coding that translates the same as ://.  So what you are really seeing is another link buried in the link to Google…

   h t t p://chefmemes.com /kxnuuina.php and a lot more characters….

 

The Zulu URL Risk Analyzer confirms the hidden redirect but doesn’t identify it as malicious.

TS2-Google link

redflagRed Flag #1: Someone has send a link made to look like a link to Google but is actually a redirect to a website called Chefmemes.com.  Google tells us that this website may have been hacked.  When Google tells you this, you had better believe it…

TS2a-chefmeme

If we ask the Zulu URL Risk Analyzer to investigate the link to Chefmemes.com we find several interesting things to consider….
redflagRed Flag #2:  Chefmemes.com contains many redirections to other websites, including savethechildren.org.  Everyone should recognize the remarkable charity foundation, Save the Children.  But what is it doing here with at least three redirects pointed to it?  The popups to SavetheChildren.org are meant to distract you just like a pickpocket distracts you with one hand while picking your pocket with the other.  If you look at the analysis from Zulu you’ll also see that there is a redirect to a strange website called biglovelygold.com.

TS3-Google link

redflagRed Flag #3:  We look up BigLovelyGold.com in Google and find absolutely nothing.   Zulu doesn’t find it threatening but it does score it 43 out of 100 points.  However, it does find that BigLovelyGold.com is being hosted in Lithuania.

 

TS4-Google link

Remember, this started as an innocent email containing a link that seemed to point to Google.  Now we see that we’re being sent to a website in Lithuania and Google can’t find any information whatsoever about this website.  Does this still seem safe to you?

 

Since it seems that our final destination is biglovelygold.com we used WHOIS.sc to look up ownership of the domain…

TS6-Google link

redflagRed Flag #4:  We learned that BigLovelyGold.com was registered on June 27, the day the email was sent and that the site appeared to be hosted in England.

 

Looking more carefully at the WHOIS record for BigLovelyGold.com shows that it was registered through a sleazy registrar in China called BizCN.com.  If you look up BizCN.com in Google as we did, you’ll find lots of complaints against this Registrar, including the fact that ICANN (the Internet’s Governing organization) hit BizCN.com with a breach of contract in 2014.  Visit: https://www.google.com/?gws_rd=ssl#q=bizcn.com  We wonder why BizCN.com is still in business! And check out this article in InternetNews.me about how sleazy BizCN.com is reported to be!

TS7-Google link

redflagRed Flag #5: Finally, we decided to look up the administrator listed on the WHOIS record for BigLovelyGold.com…. Mckenzie Considine of Considine Corporation Ltd. According to this document we found on a U.S. Government website, Considine Corporation was served with a lawsuit in 2014 for fraudulent practices by the U.S. Commodities Future Trading Division. Visit: http://www.cftc.gov/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfconsidinecomplaint092914.pdf

TS8-Google link

How does that link to Google feel to you now? Innocent?  Nothing to worry about or did it have malicious intent?  Yeah, that’s what we thought too.  Delete and be glad you dodged a bullet.
The next time a friend sends you an email with a link, look carefully at it before you click.  Any doubts, be sure to contact your friend personally to ask about the email.

s2Member®