Daily Archives: January 28, 2022

Chasing Down a Malware Network

Posted on by
3

A few days ago, I leveled a Horde frost mage to max level in World of Warcraft. Anyone familiar with the game knows exactly what happens next: the mad scramble to gear up a new Level 60 to be able to run mythics and raids, so that you can get even more loot to run higher-level mythics and raids…thus does the MMO hamster wheel go ’round and ’round.

So I did what every newly-minted level 60 does, of course: I turned to Google. My new 60 has a rather abysmal heirloom staff, so my first priority was finding the best way to loot better weapons.That’s when it started.Take a look, dear readers, at this Google search, and see if you can tell me what’s peculiar.

These results outstrip some of the most popular WoW sites on the Net, which is a bit peculiar itself…but more to the point, what are they doing on a site about pilates? And a German photography site? And why are they all called “untitled”?

Curious, and smelling something weird and sinister, I did what I always do when I see something that might be the tip of some kind of mass hack or compromise: I clicked on the links.

And each one of them bounced me back to a new Google page.Even more curious, I copy-pasted one of the links (after unmangling it, of course; damn you, Google, for mangling link URLs in your search links), and saw:

This is a “keyword stuff”—a page designed to appeal to Google, not to any human reader, simply by being crammed full of popular Google keywords and search phrases.

But look at the bottom of the page. It’s a bunch of randomly-generated three-character links.Curiouser and curiouser.Now well and truly engaged, cup of tea forgotten next to my keyboard, I logged out of WoW and fell down the rabbit hole.

Where do those links point? To other pages stuffed with keywords, of course.

This is how these results ranked so high in Google Search, above even well-regarded WoW sites like Icy Veins: Automated black hat SEO. Each page is populated with automatically-generated links to other pages also stuffed with keywords, which in turn point to still other pages stuffed with keywords…at least hundreds, possibly thousands, in all.

But why?The ‘why’ is suggested by some very peculiar behavior of these pages.

Continue reading