Malware authors (AKA the criminals or the bad guys), use many advanced techniques to hide their activities. From encoding, to encrypting, to auto-generated random domains, conditional redirections and many other interesting methods.
In the middle of all their advanced options, they also use simple techniques to confuse the end user to think that a malicious domain is from a legitimate organization. As of late, it seems the usual organization chosen is Google.
What do you think a user will think when they see the following code on their site:
Yes, they will think it is the Google Adsense code, and not worry too much about it. However, that domain is not from Google. It was just registered a few months ago:
Domain Name: GOOGLE-ADSENS.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.GOOGLE-ADSENS.COM
Name Server: NS2.GOOGLE-ADSENS.COM
Updated Date: 12-mar-2012
Creation Date: 21-feb-2012
Elisabeth Defeo firstname.lastname@example.org
609981987 fax: 609981987
Camino Real, 40
Bedia Bedia 48390
It is being used to distribure malware. Same applies to mygooglemy.com, a domain registered 2 months ago and also being used to distribute malware (currently redirecting users to pokosa.com). And according to Google, it has infected aeound 1500 different sites:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1415 domain(s), including socialnojornalismo.com.br/, izzalini.org/, lullaby-land.com/.
That’s just a couple examples. We see often domains pretending to be affiliated with Google, Opera, MSN and others:
So, next time you see a site like www.google-sales.com loading in your browser, make sure it is really a valid domain. If in doubt, scan it on SiteCheck or run a whois on the domain to see who registered it.