Malware authors (AKA the criminals or the bad guys), use many advanced techniques to hide their activities. From encoding, to encrypting, to auto-generated random domains, conditional redirections and many other interesting methods.
In the middle of all their advanced options, they also use simple techniques to confuse the end user to think that a malicious domain is from a legitimate organization. As of late, it seems the usual organization chosen is Google.
What do you think a user will think when they see the following code on their site:
<iframe src="http://google-adsens.com/in.cgi?2"…
Yes, they will think it is the Google Adsense code, and not worry too much about it. However, that domain is not from Google. It was just registered a few months ago:
Domain Name: GOOGLE-ADSENS.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.GOOGLE-ADSENS.COM
Name Server: NS2.GOOGLE-ADSENS.COM
Updated Date: 12-mar-2012
Creation Date: 21-feb-2012Registrant Contact:
PatrosInc
Elisabeth Defeo atrabaja@peru.com
609981987 fax: 609981987
Camino Real, 40
Bedia Bedia 48390
es
It is being used to distribure malware. Same applies to mygooglemy.com, a domain registered 2 months ago and also being used to distribute malware (currently redirecting users to pokosa.com). And according to Google, it has infected aeound 1500 different sites:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1415 domain(s), including socialnojornalismo.com.br/, izzalini.org/, lullaby-land.com/.
That’s just a couple examples. We see often domains pretending to be affiliated with Google, Opera, MSN and others:
operabwo.ru
mygooglemy.com
google-adsens.com
goooogle.osa.pl
googleapi15.ru
google-update.ikwb.com
googleys.ru
www.whygooglewhy.com
googletest.ipq.co
www.google-sales.com
operaupdatenow.in
opera65.com
msnupdateserver.info
firefoxstabs.com
wordpressmuhelp.com
So, next time you see a site like www.google-sales.com loading in your browser, make sure it is really a valid domain. If in doubt, scan it on SiteCheck or run a whois on the domain to see who registered it.