A few days ago, I leveled a Horde frost mage to max level in World of Warcraft. Anyone familiar with the game knows exactly what happens next: the mad scramble to gear up a new Level 60 to be able to run mythics and raids, so that you can get even more loot to run higher-level mythics and raids…thus does the MMO hamster wheel go ’round and ’round.
So I did what every newly-minted level 60 does, of course: I turned to Google. My new 60 has a rather abysmal heirloom staff, so my first priority was finding the best way to loot better weapons.That’s when it started.Take a look, dear readers, at this Google search, and see if you can tell me what’s peculiar.
These results outstrip some of the most popular WoW sites on the Net, which is a bit peculiar itself…but more to the point, what are they doing on a site about pilates? And a German photography site? And why are they all called “untitled”?
Curious, and smelling something weird and sinister, I did what I always do when I see something that might be the tip of some kind of mass hack or compromise: I clicked on the links.
And each one of them bounced me back to a new Google page.Even more curious, I copy-pasted one of the links (after unmangling it, of course; damn you, Google, for mangling link URLs in your search links), and saw:
This is a “keyword stuff”—a page designed to appeal to Google, not to any human reader, simply by being crammed full of popular Google keywords and search phrases.
But look at the bottom of the page. It’s a bunch of randomly-generated three-character links.Curiouser and curiouser.Now well and truly engaged, cup of tea forgotten next to my keyboard, I logged out of WoW and fell down the rabbit hole.
Where do those links point? To other pages stuffed with keywords, of course.
This is how these results ranked so high in Google Search, above even well-regarded WoW sites like Icy Veins: Automated black hat SEO. Each page is populated with automatically-generated links to other pages also stuffed with keywords, which in turn point to still other pages stuffed with keywords…at least hundreds, possibly thousands, in all.
But why?The ‘why’ is suggested by some very peculiar behavior of these pages.
So. Clicking on one of these links from Google bounces the user (me) back to Google. I was browsing from a Mac, so that’s quite common—malware droppers frequently are PC specific, and will check the browser user-agent to see if it’s a Windows browser before going off to the payload site.
So I set my browser user-agent to Firefox for Windows and clicked the Google link again.
Still got bounced to Google.Hmm, interesting.What about the links at the bottom of the keyword-stuff pages?
I clicked on a few of them and was taken to other similar pages stuffed with Google keywords, so I started compiling a list, to get a sense of how big the network is, and to send to the Web hosts of the affected sites.Then something even more peculiar happened.One of the links bounced me through a whole chain of intermediaries to this:
This is, of course, a bog-standard malware dropper, that downloads malware disguised as an Adobe Flash player update.Two things to notice here:
- This page is using Mac graphics and offering a Mac DMG file (I had reset my browser user-agent to a Mac browser at this point); and
- It didn’t happen with every link click.
I accepted the offered download. It downloaded a Mac disk image called “AdobeFlashPlayerInstaller.dmg” (SHA hash be3b0172cd206a5196714def29dfdea1db6c6b97df009c484769db8e348d0f29) which VirusTotal identified as OSX.Bundlore:
The payload itself downloads from an Amazon S3 bucket. This one downloaded from a (now disabled) S3 bucket at
https://s3 (dot) amazonaws (dot) com/83171197-a8ce-4f88-b55a-cb1b1d3e64/k6h/33E4A3B6BB3677B313A2CF90257F93FC/c5rWf/sgWQ1F/23y2J/JRxq7yri
The people behind the malware place pages loaded with Google search terms and keywords on various sites. The sites link to other sites, which link to other sites, which link to other sites. Most of the time, if you follow those links, you end up at more pages full of keywords. Sometimes, if you follow those links, you end up at malware droppers, at least on a Mac browser.But that raises a ton more questions:
- What happens if you visit from Windows browsers? Do you still get shuttled off to Mac malware droppers?
- What are the sites hosting these keyword pages?
I opened one of the keyword pages in a browser window with a Mac user agent and the same page in a window set to a Mozilla on Windows user agent and started clicking links.
One time out of every ten or so, apparently at random, the link will redirect to a page hosted at dec-info (dot) ro, then from there to
take-bestprize (dot) life/?u=fn7nu1c&o=m0gpe9l
and from there to
and from there to
then from there to a destination that depends on the browser’s user-agent.
If the browser’s user-agent is set to a Mac browser, the browser is taken to
update4soft (dot) hugetoupdatecentralreal (dot) work/san?b9zd1=ULKewl34Z_iGnbTwsZHd1fHOfjTuogdKsHUhAlll0gY.&cid=1a669fee-9a44-4724-a33b-2b2f45af8f3c&sub=l93450
The network also checks the browser referer string. If the referer header is blank or is anything except one of the redirectors in the malware network, the user is redirected to Avast.
If the referer string passes the check, the site tries to download Mac malware.
If the browser’s user-agent is set to Mozilla on Windows Chrome on Windows, or Internet Explorer on Windows, the browser is taken to
play (dot) google (dot) com/store/apps/details?id=com.zhiliaoapp.musically&hl=en&gl=US
which is, rather curiously, the TikTok for Android app download.
This I found especially curious; I rarely see a network this extensive that is dedicated solely to Mac malware. So I ran the experiment again from an actual Windows install in a disposable VM to see what would happen.
I used a Windows 10 VM with Chrome, both updated with all current security patches. The behavior from Windows was completely different from the behavior of a Mac browser with a Windows user-agent.
On Windows, clicking the links also redirects to other sites about 10% of the time. Specifically, a true Windows browser redirects to
https://a (dot) bestfaustcaptcha (dot) top/robot4_arrow/index.html?c=097e1524-18d1-49e0-8b6b-df5395fc1c2c&a=l93450#
and from there to
which prompts to allow browser alerts.
If you choose to allow notifications, you get—surprise!— a fake notification of a phony virus.
which then redirects via a fake antivirus popup through several intermediaries to
https://rapidlinkmc2 (dot) club/ewCpA/mc/rd23/?isp=CenturyLink&ip=126.96.36.199&g=us&city=Pasco&browser=Chrome&os=Windows&trk=WXpKc05HUklTbkpNYlU1MllsRTlQUT09&tsid=4&lpkey=168043d643b6083316&lng=en&t1=281692&t2=US&uclick=h9twxoh93y&uclickhash=h9twxoh93y-h9twxoh93y-gmb4-0-qd-lpj2-bzd5-448683#
which in turn redirects through several more intermediaries, including
https://followlink (dot) click/nlp/index.php?a=2402&c=43954&s2=d23bch9twxolpi4c58&s4=30&url_bnm_redirect=https%3A%2F%2Fdoneonline.xyz%2Ftohttps://surfshark (dot) com/deals?coupon=surfsharkdeal&transaction_id=1027b5d2a03e441f71613d35fd82bd&offer_id=849&affiliate_id=4912&source=&aff_sub=2402&utm_source=Affiliates&utm_medium=4912&utm_campaign=affiliate&recurring_goal_id=844
which tries to bill about $50 for a VPN subscription.
There’s a lot, and I do mean a lot, of behind-the-scenes examination of the browser referrer, user-agent, machine-specific fingerprinting, and other stuff going on behind the scenes. The machine fingerprinting is especially fascinating; this network is way more sophisticated than other similar malware distributors I’ve seen in the past, that only choose payloads based on user-agent.
Microsoft Edge on Windows behaves the same way.
The network behavior has changed between when I first discovered it three days ago and now. Three days ago, using a Windows user-agent attempted an executable download, which sadly I blocked reflexively. I kinda wish I hadn’t, because I haven’t been able to poke the network into doing that again. I don’t know if it’s doing IP logging or if the network behavior’s been changed.
Also, as of the moment of writing this, Google has cleaned up its search results. Doing the same search that produced all these fake keyword sites no longer does so, meaning someone at Google is on the ball.
The operators of the network are fast to respond. Two days ago, I sent Amazon a notice that Mac malware was being downloaded from an S3 bucket. Yesterday, they disabled it. Today, the Mac malware is being downloaded from a different S3 bucket at
https://s3 (dot) amazonaws (dot) com/67477bf8-74bc-4c1/PpJAkSj/8B303791CC2B19C0B2A94CAC5809C308
I compiled a list of several hundred Web sites stuffed with these keywords. Each one contains 20 links to other such pages. I copy-pasted each of those 20 links, then chose one at random and visited it, then copy-pasted its 20 links, then chose one at random, then copy-pasted its 20 links. I did this a total of 16 times, and put together a text file with 16 pages times 20 links per page = 320 keyword-stuffed pages.
Note that some of the domains are in Cyrillic, so if you see some garbage, keep in mind this textfile’s encoding is Unicode (UTF-8) with Unix line endings.
Some domains appear more than once. I believe these links to be randomly generated. Someone with better math skills than mine can probably look at this file and use Bayesian analysis to make a guess as to how many Web sites are in the network; my gut says thousands.
So what are these sites?
A lot of them are WordPress sites running insecure or outdated WordPress installs. I use WordPress myself, but man, it is a blight on the Internet and a menace to Network security. (If you’re reading this and you run WordPress, please, at a minimum, turn on automatic updates everywhere and install WordFence!)
When I first started looking at this network, I reported the sites as I found them to the Web host’s abuse reporting addresses. I’ve since stopped doing that because there are so many. A lot of the sites I saw (about 20% or so) were hosted on Hostgator, making me afraid that Hostgator had suffered a breach of some kind, though I now believe that was a statistical artifact.
Not all the sites are WordPress. Some simply appear to be poorly secured with weak FTP or Web front-end passwords.
This should, I hope, drive home an important point: Just because your Web site is obscure and gets no traffic doesn’t mean you don’t have to worry about security! These site compromises were done with automated tools, and any site, large or small, can be corralled into a network that can be used for ill. Use strong passwords. Secure your sites. Yes, you.