A team of digital
forensics specialists just
reported the discovery of a fake Google domain that could trick any user who doesn’t pay
sufficient attention to their online activities.
Following the report of security
boulevard, this malicious
domain abused is.gd, a URL shortener service, to inject these clipped addresses
into the post table in the customer’s WordPress database.
Each time the infected WordPress page is loaded, the actual content is
hidden behind the is.gd a, which in turn gets content from fake Google domain
(in this case fonts[.] googlesapi[.] com).
According to digital forensics experts, the creation of this domain is
not as recent as you might think, as it takes just over a year online. As for
its appearance, the URL is very similar to the Google authentic used on many
websites and could go unnoticed by any administrator.
Actually this malicious domain uses exactly the same characters as the
legitimate Google Fonts URL, simply relocation an ‘s’, which makes it
undetectable to the naked eye.
- Legitimate
domain: fonts[.] googleapis[.]com - Malicious
domain: fonts[.] googlesapi[.]com
Another factor that plays in favor of this malicious domain is its
apparent low use, as it has so far not been blacklisted by any VirusTotal
partner company, a platform that provides information on current security
risks.
It was also detected that this malicious domain was trying to load
malware from a previous domain (wordprssapi[.]com), reported since 2017. This
variant of malware is used for the theft of browsing cookies on websites that
employ a specific marketing program.
Digital forensics specialists mention that, in the first instance, the
malicious code checks whether the cookie name_utmzz already exists, using the
document.cookie.indexOf property. It then makes sure that the visitor is not a
common robot, such as Googlebot.
If the checks are passed, JavaScript sends the visitor’s browser
cookies to the malicious domain. It also generates a cookie with the name you
verified earlier, “_utmzz”, which is set to expire in 1 day.
According to the digital forensics specialists from the International
Institute of Cyber Security (IICS), even if the fake domains found in this
campaign were legitimate, sending cookies is always a warning sign for website
owners, as these records should be considered as personal information that
should not be shared.
Using fake domains with characters similar to those of the legitimate
domain is a very common attack variant, so it is recommended that website
administrators exercise caution.
