Another Fake Google Domain: fonts.googlesapi.com

  • December 2, 2019

Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye.

The malicious domain was abusing the URL shortener service is.gd: shortened URLs were being injected into the posts table of the client’s WordPress database.

URL Shortening Service Abused in Malware
Abusing URL shorteners is a common method for trying to hide the real source of malware

Whenever the infected WordPress page loads, the actual content is obscured behind the is.gd shortener, which obtains content from the fake Google domain: fonts[.]googlesapi[.]com

Obfuscation using is.gd shortening service

Fake Google Domain Leveraged in Obfuscation Attempts

In terms of the registration date (2018-11-27), this domain is not that new. Its appearance is very close to the legitimate Google URL that is used on many websites, and at first glance could easily go unnoticed by a webmaster.

The fake domain uses the same exact characters as the legitimate Google Fonts URL; it  simply rearranges an “s” character, making it even less suspicious to cursory glances as it doesn’t cause a misspelling.

GOOD: fonts[.]googleapis[.]com

BAD: fonts[.]googlesapi[.]com

Blacklisting Details

The effectiveness of this malicious domain is further improved by its apparently low usage. At the time of writing, this domain has yet to be blacklisted by any other vendors on VirusTotal except for us.

VirusTotal Blacklisting Status

The malicious fake Google domain was trying to load malware from an old domain, wordprssapi[.]com, which we first mentioned in a 2017 post.

Stolen Cookies Passed to Malicious Domain

This specific malware has been used to steal referral traffic cookie data from websites that were using a specific popular affiliate marketing program.

Cookie Stealer

The malicious code first checks to see if the cookie name _utmzz already exists using the document.cookie.indexOf property. It then checks to make sure that the visitor is not a common crawling bot, e.g Googlebot.

If the checks are passed, the JavaScript sends the visitor’s browser cookies to the malicious domain. It also generates a cookie with the name it previously checked for, “_utmzz” which is set  to expire in 1 day (86400000 milliseconds).

Conclusion

Even if the fake fonts.googlesapi[.]com and wordprssapi[.]com domains found in this campaign were legitimate, sending cookies is always a red flag for website owners – they contain an enormous amount of personal information that shouldn’t be shared.

When auditing your code, exercise caution and check for legitimate domains. Attackers commonly use fake domains and typos in their campaigns to evade detection and obfuscate their malware.

Website monitoring services and core file integrity checks can help you stay on top indicators of compromise and catch website threats early on.

You can follow our guide on how to clean a hacked website or reach out to us if you need a hand cleaning up an infection – we’re always happy to help.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like