Fake Media Download Sites

Your website is a huge part of your brand reputation. It serves as a place to build your audience and helps you get noticed by new visitors from search engines. You spend time working hard to build authority and trustworthiness. When your pages rank high enough, you may find yourself with a whole new set of challenges. Spammers have no problem plagiarizing your original content for malicious purposes.

Our marketing team monitors mentions of Sucuri on the Internet. One day they notified us about a Google Alert linking to a suspicious Google Doc:

Suspicious result in Google Alerts
Suspicious result in Google Alerts

Scraped Spam Inside Google Doc

The document was outright spammy and had three pages. Two of them consisted of random sentences about security that appeared to be scraped from the Title and Descriptions from various search results pages.

On the first page, there was a small low quality screenshot of the Sucuri SiteCheck page (also taken from Google image search results) featuring prominent “Download Now” links.

Malicious Google Doc
Malicious Google Doc

Redirects on Redirects

The Download Now links take the visitor on an lengthy redirect path.

The clicked link first resolves to a Google App Engine URL:

  • hxxp://pivwin2 .appspot . com/dn?k=Software+to+scan+website+for+malware,

Which in turn redirects it to another subdomain:

  • hxxp://tmpslv2 . appspot . com/hello?k=Software%20to%20scan%20website%20for%20malware,

Then it hops to another domain, still retaining the keyword string:

  • hxxp://www.mypromediastoretwo . com/02000/download.php?id=2000&name=Software%20to%20scan%20website%20for%20malware,

From there it waits for 5 seconds before it redirects to an affiliate link:

  • hxxp://www .download-genius . com/download-k:Software-To-Scan-Website-For-Malware.html?aff.id=5929&aff.subid=2000

This redirects to a final site which requires registration in order to “download” anything:

  • hxxp://superior-download . com

That’s complicated, isn’t it?

 

User Agent Matters

The things get even more complex when you begin to play with the browser User Agent string. The above redirect chain is what I observed in Firefox on Mac.

If I use Internet Explorer on Windows then I get the following:

  1. hxxp://pivwin2 .appspot.com/dn?k=Software+to+scan+website+for+malware
  2. 302-> hxxp://tmpslv2 .appspot .com/hello?k=Software%20to%20scan%20website%20for%20malware
  3. 302 -> hxxp://www .mypromediastoretwo .com/02000/download.php?id=2000&name=Software%20to%20scan%20website%20for%20malware
  4. Automatic download of “Software To Scan Website For M Downloader.rar” from hxxp://mymediadownloadstwentyfive . com/?dmV…skipped_long_string

Here’s the VirusTotal analysis of the downloaded file – Detection rate: 6/54.

Malware signatures like “AdWare.Amonetize” give us an idea of what sort of badness we downloaded.

So let’s unfurl and analyze these redirect chains.

Download-Genious and Media Klondike

Let’s start with download-genious and superior-download.

These websites claim to let you download whatever you are searching for even if it doesn’t exist (e.g. “oscar winning movies 2018″). Fake stats and testimonials don’t add any more credibility to their scammy claims.

I managed to find a download-genius page with real “download” links. The “main” link was for download5-cdn .com and the “mirror” link for letshareus .com After another series of redirects both of them pushed a download for the exact same file. This file was detected as malicious by 8 antiviruses programs. Again “AdWare.Amonetize“. I’m not surprised.

Accourding to the links, these sites are affiliates of “MediaKlondike”:

Media Klondike v2.0 is a new version of an affiliate program. You will be paid a commission for each order you refer to our sites, which offer your visitors a huge database of movies, music, games, tv shows, etc.

The affiliate program has the following terms:

Adult traffic or spam of any kind are strictly prohibited. Traffic should be real, no bots or fake purchases allowed.

It seems to be only words…

Media Search Sites

The download-genious and superior-download sites hide their real address behind a firewall. Some other sites like www .mypromediastoretwo .com (91 .226 .32. 97) or mymediadownloadstwentyfive . com (95. 211. 148 .47) do reveal their real IP addresses.

If you start checking other sites on those IPs, all of them appear to be the same “Media Search” and “Free Download” sites that provide malicious links for just about any search query.

Fake Media Search site
Fake Media Search site

 

Download Scam Networks

A bit more searching revealed more servers like these.

91.226.32.97
91.226.32.96
91.226.32.95
91.226.32.94
91.226.32.22
91.226.33.75
91.226.33.76
91.226.33.77
95.211.148.47
195.226.218.218
5.61.32.34
213.174.130.176

Just some of the domains:

allfilesdownload .us
androidepisode .com
bestbooksfiles .com
greataudiosdownloads .com
greatvideosdownloads .com
mediasearchdirect .com
mfileshare .com
morenewmedianow .com
mydigitalfinderone .com
newfastmediasearcher .com
onlinebooksfiles .com
promediasearch .com
starmediasearcher .com
saveclip .net
urlmediafiles .com
worldbooksdownloads .com
yourfreemediadownloads .com
yournetmediastore .com
yourpromptdownloader.com
yoursoftwareplace .com
...and many more

It’s easy to notice that this gang uses the same technique to create unique domain names. They add different numbers at the end of existing domains. For example, they have the following domains:

  1. www .mymediasearchnow .com
  2. www .mymediasearchnowone .com
  3. www .mymediasearchnowtwo .com

They registered all the domains mymediadownloadsone .com through mymediadownloadsthirtyfive .com and rotate them to minimize risks of blacklisting. At the moment of writing mymediadownloadstwentyfive .com was active.

Doorway Sites

In addition to Google Docs, hackers use farms of spam websites created specifically to drive searchers to their download sites. They have pages that have been optimized for certain keywords, with no meaningful content. For real visitors on specific operating systems, attackers use JavaScript to load fake download sites in full window frames. Alternatively, the attacker might make the site look like a forum with download links or a software review site.

As with the media search sites, these spammy sites typically occupy whole servers on certain IP addresses:

91.211.142.11
91.215.155.250
62.109.28.121
62.109.13.23
217.12.204.238
149.154.70.243
...

Here are some examples of the spam sites:

bakutourism .tk
dostmix .tk
heyacan .tk
kaspi .tk
ivmi-motors .ru
mft-group .ru
jackpotcruise .ru
gcp-trial .ru
alabugatrud .ru
kmdpqs .cf
kmdqhjg .cf
kmgykk .cf
mezlsx .cf
myahh .cf
nwtbllu .cf
fianewscrowrom .science
griptigeschlu .science
flapviphadis .science
feileholmming .science
stanateaspos .science
rossdrumilous .science
...

It’s easy to spot several patterns in the domain names of the spammy sites:

  1. Newly registered expired domains of real Russian sites: e.g.: correalty . ru or tomskytools  .ru.
  2. Low quality .tk domains registered around 2012-2013 like bakutourism .tk or kaspi .tk.
  3. Completely random short .cf domain names like  fyoaqe .cf or acsdw .cf.
  4. Artificial gibberish words on .science domains like stanateaspos .science or anuracmo .science

Google App Engine Redirectors

Now lets return to the links in the spammy Google Docs document.

pivwin2 .appspot . com / tmpslv2 .appspot.com was not the only pair of Google App Engine applications that redirected people to the fake media download sites.

If we conduct this search [site:docs.google.com “Download Now”] we’ll find many more Google documents created by this campaign. Their links use various other appspot.com subdomains (App Engine application ids). It’s easy to notices that they all have numbers at the end: pivwin2ghpnc9ccorst5, etc. Moreover, there are ids for every number 1 through 12. This campaign can use any of them interchangeably:

ccorst1 .appspot .com through ccorst12. appspot .com
dndbinn1 .appspot .com through dndbinn12. appspot .com
dnmake1 .appspot .com through dnmake12. appspot .com
frdxin1 .appspot .com through frdxin12. appspot .com
ghpnc1 .appspot .com through ghpnc12. appspot .com
ipowmax1 .appspot .com through ipowmax12. appspot .com
jotjdn1 .appspot .com through jotjdn12. appspot .com
...

They all redirect to tmpslv2 .appspot .com, but it is also possible to use tmpslv1 .appspot .com and tmpslv3. appspot .com as the second level redirectors.

Fighting against “Unwanted Software”

Various types of “unwanted software” became so widespread lately that Google began to actively fight against them about a year ago. Our “media search/download” networks perfectly fits into Google’s definitions of UwS. Even without installing the downloaded files we see that the sites leverage “bad software downloader practices” and the “media” they offer for downloading has the following characteristics:

  • It is deceptive, promising a value proposition that it does not meet.
  • It tries to trick users into installing it or it piggybacks on the installation of another program.
  • It doesn’t tell the user about all of its principal and significant functions.

Ironically, this very UwS campaign actively uses various Google’s own resources in distribution of malware:

  • Poisoned search results
  • Spammy Google Docs documents
  • Spammy redirectors on Google App Engine.

Of course, it’s not the only such a campaign and not the most elaborate. But it helps us unmask the tactics employed by such campaigns. We hope that raising awareness can help us all better understand and eliminate such things more efficiently.

Summary

In companies like Sucuri, even routine business procedures may result in serious security investigations. This time a signal from our marketing department helped us uncover a whole multi-level network of sites that distribute unwanted software.

 

4 comments
  1. Sad you had to spend so much time wandering through that rabbit hole. I see no light at this spammy SEO tactics hole. If Google takes no action it’s only going to get worst (and no recourse since it’s Google’s actual search results that are the “problem.”). Such a waste.

  2. Thanks Denis, I’ve been wondering about this for what seems like years. Your post put everything into perspective 🙂

  3. Some of these redirects come from searching for valid addons that are cloaked as cracked game addons, via Droid apk addons – usually you do a survey(usually this results in entering all of your personal info), and while it appears to be timing out on the page; because you clicked on a survey ad, it’s actually a link w/ an agreement to let them access your email, personal shared folders, etc, etc, etc,,,, so timing out and clicking more popup ads, you are agreeing to full access to your machine, etc, adding exceptions and so forth,

Comments are closed.

You May Also Like