Your website is a huge part of your brand reputation. It serves as a place to build your audience and helps you get noticed by new visitors from search engines. You spend time working hard to build authority and trustworthiness. When your pages rank high enough, you may find yourself with a whole new set of challenges. Spammers have no problem plagiarizing your original content for malicious purposes.
Our marketing team monitors mentions of Sucuri on the Internet. One day they notified us about a Google Alert linking to a suspicious Google Doc:
Scraped Spam Inside Google Doc
The document was outright spammy and had three pages. Two of them consisted of random sentences about security that appeared to be scraped from the Title and Descriptions from various search results pages.
On the first page, there was a small low quality screenshot of the Sucuri SiteCheck page (also taken from Google image search results) featuring prominent “Download Now” links.
Redirects on Redirects
The Download Now links take the visitor on an lengthy redirect path.
The clicked link first resolves to a Google App Engine URL:
- hxxp://pivwin2 .appspot . com/dn?k=Software+to+scan+website+for+malware,
Which in turn redirects it to another subdomain:
- hxxp://tmpslv2 . appspot . com/hello?k=Software%20to%20scan%20website%20for%20malware,
Then it hops to another domain, still retaining the keyword string:
- hxxp://www.mypromediastoretwo . com/02000/download.php?id=2000&name=Software%20to%20scan%20website%20for%20malware,
From there it waits for 5 seconds before it redirects to an affiliate link:
- hxxp://www .download-genius . com/download-k:Software-To-Scan-Website-For-Malware.html?aff.id=5929&aff.subid=2000
This redirects to a final site which requires registration in order to “download” anything:
- hxxp://superior-download . com
That’s complicated, isn’t it?
User Agent Matters
The things get even more complex when you begin to play with the browser User Agent string. The above redirect chain is what I observed in Firefox on Mac.
If I use Internet Explorer on Windows then I get the following:
- hxxp://pivwin2 .appspot.com/dn?k=Software+to+scan+website+for+malware
- 302-> hxxp://tmpslv2 .appspot .com/hello?k=Software%20to%20scan%20website%20for%20malware
- 302 -> hxxp://www .mypromediastoretwo .com/02000/download.php?id=2000&name=Software%20to%20scan%20website%20for%20malware
- Automatic download of “Software To Scan Website For M Downloader.rar” from hxxp://mymediadownloadstwentyfive . com/?dmV…skipped_long_string
Here’s the VirusTotal analysis of the downloaded file – Detection rate: 6/54.
Malware signatures like “AdWare.Amonetize” give us an idea of what sort of badness we downloaded.
So let’s unfurl and analyze these redirect chains.
Download-Genious and Media Klondike
Let’s start with download-genious and superior-download.
These websites claim to let you download whatever you are searching for even if it doesn’t exist (e.g. “oscar winning movies 2018″). Fake stats and testimonials don’t add any more credibility to their scammy claims.
I managed to find a download-genius page with real “download” links. The “main” link was for download5-cdn .com and the “mirror” link for letshareus .com After another series of redirects both of them pushed a download for the exact same file. This file was detected as malicious by 8 antiviruses programs. Again “AdWare.Amonetize“. I’m not surprised.
Accourding to the links, these sites are affiliates of “MediaKlondike”:
Media Klondike v2.0 is a new version of an affiliate program. You will be paid a commission for each order you refer to our sites, which offer your visitors a huge database of movies, music, games, tv shows, etc.
The affiliate program has the following terms:
Adult traffic or spam of any kind are strictly prohibited. Traffic should be real, no bots or fake purchases allowed.
It seems to be only words…
Media Search Sites
The download-genious and superior-download sites hide their real address behind a firewall. Some other sites like www .mypromediastoretwo .com (91 .226 .32. 97) or mymediadownloadstwentyfive . com (95. 211. 148 .47) do reveal their real IP addresses.
If you start checking other sites on those IPs, all of them appear to be the same “Media Search” and “Free Download” sites that provide malicious links for just about any search query.
Download Scam Networks
A bit more searching revealed more servers like these.
Just some of the domains:
...and many more
It’s easy to notice that this gang uses the same technique to create unique domain names. They add different numbers at the end of existing domains. For example, they have the following domains:
- www .mymediasearchnow .com
- www .mymediasearchnowone .com
- www .mymediasearchnowtwo .com
They registered all the domains mymediadownloadsone .com through mymediadownloadsthirtyfive .com and rotate them to minimize risks of blacklisting. At the moment of writing mymediadownloadstwentyfive .com was active.
As with the media search sites, these spammy sites typically occupy whole servers on certain IP addresses:
Here are some examples of the spam sites:
It’s easy to spot several patterns in the domain names of the spammy sites:
- Newly registered expired domains of real Russian sites: e.g.: correalty . ru or tomskytools .ru.
- Low quality .tk domains registered around 2012-2013 like bakutourism .tk or kaspi .tk.
- Completely random short .cf domain names like fyoaqe .cf or acsdw .cf.
- Artificial gibberish words on .science domains like stanateaspos .science or anuracmo .science
Google App Engine Redirectors
Now lets return to the links in the spammy Google Docs document.
pivwin2 .appspot . com / tmpslv2 .appspot.com was not the only pair of Google App Engine applications that redirected people to the fake media download sites.
If we conduct this search [site:docs.google.com “Download Now”] we’ll find many more Google documents created by this campaign. Their links use various other appspot.com subdomains (App Engine application ids). It’s easy to notices that they all have numbers at the end: pivwin2, ghpnc9, ccorst5, etc. Moreover, there are ids for every number 1 through 12. This campaign can use any of them interchangeably:
ccorst1 .appspot .com through ccorst12. appspot .com
dndbinn1 .appspot .com through dndbinn12. appspot .com
dnmake1 .appspot .com through dnmake12. appspot .com
frdxin1 .appspot .com through frdxin12. appspot .com
ghpnc1 .appspot .com through ghpnc12. appspot .com
ipowmax1 .appspot .com through ipowmax12. appspot .com
jotjdn1 .appspot .com through jotjdn12. appspot .com
They all redirect to tmpslv2 .appspot .com, but it is also possible to use tmpslv1 .appspot .com and tmpslv3. appspot .com as the second level redirectors.
Fighting against “Unwanted Software”
Various types of “unwanted software” became so widespread lately that Google began to actively fight against them about a year ago. Our “media search/download” networks perfectly fits into Google’s definitions of UwS. Even without installing the downloaded files we see that the sites leverage “bad software downloader practices” and the “media” they offer for downloading has the following characteristics:
- It is deceptive, promising a value proposition that it does not meet.
- It tries to trick users into installing it or it piggybacks on the installation of another program.
- It doesn’t tell the user about all of its principal and significant functions.
Ironically, this very UwS campaign actively uses various Google’s own resources in distribution of malware:
- Poisoned search results
- Spammy Google Docs documents
- Spammy redirectors on Google App Engine.
Of course, it’s not the only such a campaign and not the most elaborate. But it helps us unmask the tactics employed by such campaigns. We hope that raising awareness can help us all better understand and eliminate such things more efficiently.
In companies like Sucuri, even routine business procedures may result in serious security investigations. This time a signal from our marketing department helped us uncover a whole multi-level network of sites that distribute unwanted software.