How Google Is Used As a Weapon Against You

[UPDATED 1/3/20] Periodically, we have seen cybercriminals manipulate Google search engine so that malicious websites appear in the top returns of a search.  These malicious websites appear to be legitimate but are designed to infect your computer with malware.

In late Fall, 2019 we began to notice some oddball websites that would appear when we conducted searches for telephone numbers in Google.  In late December and early January, 2020 we have now confirmed that cybercriminals are, once again, gaming Google’s search results to pull up malicious websites that put us all at risk.  While investigating an odd text in late December, presumably from Uber, we searched Google for the information that you see in this screenshot…

The top link may have been legitimate but our “spider senses” were tingling when we looked at the domains of the next 3 links. (It is so very important to look at domain names in green, underneath a blue Google link!) We’ve been at this long enough to recognize malicious domains and the crap Global Top Level Domains most often purchased by cybercriminals!    We had immediate suspicions about these 3 links…

peastone[.]xyz
yfusv[.]com
unclasped[.]xyz

A WHOIS look up of peastone[.]xyz confirmed our suspicions because it was newly registered about 5 weeks earlier.  That is OFTEN a sign that you cannot trust a website….


Fortunately, VirusTotal.com was able to confirm our suspicions.  Malware lay in wait for anyone clicking links to peastone[.]xyz


And what of the other oddball websites that came up in the Google search?  Both unclasped[.]xyz and yfusv[.]com were registered in the last few weeks!

In addition, when we searched for the website yfusv[.]com in Firefox (DO NOT DO THIS UNLESS YOU KNOW HOW TO SEARCH FOR A WEBSITE WITHOUT VISITING IT!), we came upon lots of oddball links that made us even more suspicious about the legitimacy of this website:

We were then able to use ReScan.pro to confirm that a suspicious injector was waiting for anyone who arrived at yfusv[.]com! (And the fact that this website has been blacklisted by A/V services.)

We have not been able to confirm the existence of malware on unclasped[.]xyz but we are CERTAIN it is there lying in wait! After uncovering these malicious websites, we’re now thinking that the fake “Uber text” was likely a trigger to trick people into searching for the phone number, and then clicking a link to infect their devices. 

BOTTOM LINE: Look carefully at the domains of the links provided by Google before clicking!  Especially notice those domain endings like “xyz.”  If something seems odd or unusual about those domain names, do NOT click the Google link!

========================================

The content below was first published in June, 2016: (Click the graphics below to enlarge.)
During our two years exposing Internet scams and threats we have developed a real appreciation for the creativity, skill, and resourcefulness of the criminals who target citizens of the world.  We’ve watched their tactics evolve as they develop new malicious  tricks making it harder for the average Joe to recognize a threat when it is staring him in the face.  Their latest tactic is meant to appear to use Google as a means to deliver a malicious payloads.
This email appears to have been sent by a graphic designer from the legitimate domain adamwebster.me without a subject line.  It also appears to be forwarded from another email.  The only contents worthy of attention is a link that points to Google.com.

If you look carefully at the red hyperlink to Google notice a second http in the code, followed by %3A%2F%2F and more.  These characters are a form of coding that translates the same as ://.  So what you are really seeing is another link buried in the link to Google…

   h t t p://chefmemes.com /kxnuuina.php and a lot more characters….

 

The Zulu URL Risk Analyzer confirms the hidden redirect but doesn’t identify it as malicious.

redflagRed Flag #1: Someone has send a link made to look like a link to Google but is actually a redirect to a website called Chefmemes.com.  Google tells us that this website may have been hacked.  When Google tells you this, you had better believe it…

If we ask the Zulu URL Risk Analyzer to investigate the link to Chefmemes.com we find several interesting things to consider….


redflagRed Flag #2:  Chefmemes.com contains many redirections to other websites, including savethechildren.org.  Everyone should recognize the remarkable charity foundation, Save the Children.  But what is it doing here with at least three redirects pointed to it?  The popups to SavetheChildren.org are meant to distract you just like a pickpocket distracts you with one hand while picking your pocket with the other.  If you look at the analysis from Zulu you’ll also see that there is a redirect to a strange website called biglovelygold.com.

redflagRed Flag #3:  We look up BigLovelyGold.com in Google and find absolutely nothing.   Zulu doesn’t find it threatening but it does score it 43 out of 100 points.  However, it does find that BigLovelyGold.com is being hosted in Lithuania.

 

Remember, this started as an innocent email containing a link that seemed to point to Google.  Now we see that we’re being sent to a website in Lithuania and Google can’t find any information whatsoever about this website.  Does this still seem safe to you?

 

Since it seems that our final destination is biglovelygold.com we used WHOIS.sc to look up ownership of the domain…

redflagRed Flag #4:  We learned that BigLovelyGold.com was registered on June 27, the day the email was sent and that the site appeared to be hosted in England.

 

Looking more carefully at the WHOIS record for BigLovelyGold.com shows that it was registered through a sleazy registrar in China called BizCN.com.  If you look up BizCN.com in Google as we did, you’ll find lots of complaints against this Registrar, including the fact that ICANN (the Internet’s Governing organization) hit BizCN.com with a breach of contract in 2014.  Visit: https://www.google.com/?gws_rd=ssl#q=bizcn.com  We wonder why BizCN.com is still in business! And check out this article in InternetNews.me about how sleazy BizCN.com is reported to be!

redflagRed Flag #5: Finally, we decided to look up the administrator listed on the WHOIS record for BigLovelyGold.com…. Mckenzie Considine of Considine Corporation Ltd. According to this document we found on a U.S. Government website, Considine Corporation was served with a lawsuit in 2014 for fraudulent practices by the U.S. Commodities Future Trading Division. Visit: http://www.cftc.gov/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfconsidinecomplaint092914.pdf

How does that link to Google feel to you now? Innocent?  Nothing to worry about or did it have malicious intent?  Yeah, that’s what we thought too.  Delete and be glad you dodged a bullet.  The next time a friend sends you an email with a link, look carefully at it before you click.  Any doubts, be sure to contact your friend personally to ask about the email.