If you use Skype, recently you may have received Baidu link spam from some of your contacts. The links look like this:
www.baidu[.]com/link?url=_QIcrpeV-oOPb6HGTgigvW00e0fiBQyFjSui12FrARO#emubahyt=
When you click these links you end up on fake news sites with articles about a new miracle medicine that may help you lose weight or double your IQ.
Here are the typical headlines on those sites:
- Gwen Stefani Shares Blake Shelton’s Secret To Rapid Weight Loss
- Stephen Hawking Predicts, “This Pill Will Change Humanity”
This is not a new scam and most people realize that these links are spread through hacked Skype accounts, not from their actual contacts.
However, you might be wondering what Baidu has to do with this scam. After all, Baidu is the most popular Chinese search engine (almost like Google for the rest of the world) and it shouldn’t be involved in scams.
Interstitial Redirect Pages
It turns out the bad actors are abusing Baidu search results. Instead of linking directly to web pages, Baidu uses links to interstitial redirect pages. These tell Baidu which links have been clicked in their search engine results pages (SERPs) and may help the page rank higher. You might already recognize this behavior when clicking a link in Google SERPs, since they use a similar redirect.
For example, if you search “sucuri” and click the result for sucuri.net, the actual link will be something like this:
http://www.baidu.com/link?url=1kTf7OhDfrqoy4w4uj4vFShWU-HtiPRwFfz5toubzDG
If you try to make a request to the URL above, you’ll get the following redirect response:
<script>window.location.replace("http://sucuri.net/")</script> <noscript><META http-equiv="refresh" content="0;URL='http://sucuri.net/'"></noscript>
As you can see, this interstitial page automatically redirects Baidu searchers to the sucuri.net website – either via JavaScript or via the meta refresh method (if JavaScript is not enabled).
This redirect from Baidu changes as well. If you search for “sucuri” again, you’ll get a new interstitial link with a different encrypted url parameter that still redirects to sucuri.net.
Abusing Interstitial Search Pages on Skype
In the Skype campaign, scammers abuse these interstitial Baidu pages. To do it, they
- Make Baidu index the malicious sites.
- Search Baidu to find their malicious links in the SERP.
- From the SERP, copy the links to Baidu’s interstitial pages.
For example, the link you can see at the top of this post was taken from the search result for abatapka[.]ru site and it’s code is:
<script>window.location.replace("hxxp://abatapka[.]ru/")</script> <noscript><META http-equiv="refresh" content="0;URL='hxxtp://abatapka[.]ru/'"></noscript>
This simple trick provides scammers with anunlimited number of malicious Baidu links that cannot be blacklisted. No one will blacklist the entire baidu.com domain. Moreover, the full interstitial links don’t disclose the landing page, so the campaign can quickly dispose of individual links and introduce new ones.
To make the links more appealing for Skype users to click on, the malware adds a random fragment identifier using the skype name of the recipient (e.g. #emubahyt= from the link at the top of this post). Apparently, there is no other purpose for this identifier since it doesn’t go anywhere past the interstitial Baidu page.
Domains Used in the Campaign
Abatapka[.]ru is not the only domain used in this scam campaign. Here are the other sites and IP addresses currently involved in it.
First-Level Redirect
Baidu links redirect to sites hosted on the server with IP address 46 .30 .46 .78:
- abatapka[.]ru – created on Nov 7, 2016
- 3d-universe[.]ru – created on Nov 3, 2016
- abc-sport[.]ru – created on Nov 7, 2016
- gieldoweb[.]info – created on Nov 12, 2016
- tria42[.]ru – created on Nov 18, 2016
- tehnoenerg[.]ru – created on Nov 1, 2016
Fake “News Sites”
Sites on the 46 .30 .46 .78 server randomly redirect to one of the following fake “news sites”:
- brainvipwit[.]com/?a=370960&c=brain&s=gipo&42988 – 50.115.122.204 – created on Nov 11, 2016
- brainvlllwit[.]com/?a=370960&c=brain&s=gipo&49374 – 50.115.122.206 – created on Nov 16, 2016
- intellectvvv[.]com/?a=373727&c=brain&s=lefo&91446 – 5.149.248.236 – created on Nov 15, 2016
- witxxsmind[.]com/?a=373727&c=brain&s=lefo&82834 – 104.193.252.140 – created on Nov 15, 2016
- vipiqfmind[.]com/?a=370960&c=brain&s=gipo&94704 – 199.168.187.213 – created on Nov 28, 2016
If you click on links on the fake news pages, you’ll be redirected to an online store at master-hot-checkout[.]com (created on Nov 15, 2016) or wldemailnews[.]com (created on July 14, 2015) on the server 216 .189 .159 .125.
As you can see, despite being active for more than a year now, the campaign currently uses domain names registered less than a month ago. This means that the attackers regularly dispose of old domain names and introduce new ones.
Of course, they can’t simply register a new domain name and immediately start using it since they need to have it indexed by Baidu first. To work this around, the scammers try to register expired domains that can already be found in Baidu index.
Obscure Redirects From Legitimate Services
This massive ongoing scam campaign shows us how criminals use popular legitimate services to run their campaigns in disguise. The main problem with the Baidu redirect page is similar to the problem of the links created by URL shorteners – they don’t give you any clue about where they point to. That’s why hackers like them so much, as a way to obfuscate malicious URLs.
There is one big difference between the Baidu redirects and URL shorteners. Most users can tell when a URL shortener is being used for legitimate purposes, which is when links need to be short (easy to type or fit a character limit). Even on services like Twitter, many users are becoming more suspicious of shortened URLs, and more people are learning how to unfurl them first (e.g. using the + sign at the end of a bit.ly link) which will safely show the final destination of the shortened link.
With these Baidu redirects, however, users should question why the link should be short and unreadable at the same time. Actually, the Baidu links cannot even be called short – the url parameter alone is over 40 characters long.
The Baidu links are quite long and very obscure, which makes them good candidates for scam and malware campaigns. People see the domain of a popular web service, realize that it’s not a shortened link (so they don’t expect to be redirected), and at the same time they don’t have any hints about the final destination of the link. The easy fix, used by more considerate services, provide the redirect destination in clear text as a mandatory URL parameter (along with other checks that prevent abusing these kinds of links as open, unvalidated redirects).
What to Do if I’m Sending Links in Skype?
Let’s get back to the Baidu link that you received from someone on your Skype contact list.
- First of all, don’t click on it (or on any link where you can’t be sure where the link will send you) – it can be a rather benign spam, but can easily be a malicious page that will install viruses on your computer or smartphone.
- Next step is to notify the person that “sent” you the link that their Skype account was hacked and they should change the Skype password (and make sure the new password is strong enough) and scan all devices with Skype installed.
In fact, even if your contacts don’t complain about receiving Skype spam from you, the best thing to do is to change your passwords regularly and scan your devices. Just in case. Be proactive and fight the malware.