[BreachExchange] Google Alerts catches fake data breach notes pushing malware

Destry Winant destry at riskbasedsecurity.com
Wed Jun 17 10:11:54 EDT 2020


Fraudsters recently have started to push fake data breach
notifications for big company names to distribute malware and scams.
They’re mixing black SEO, Google Sites, and spam pages to direct users
to dangerous locations.

Google Alerts helps to spread these fake notifications as the service
monitors search results for user-defined keywords. Scammers created
pages or used compromised websites to combine “data breach” with
well-known brands.

Fake security incidents

BleepingComputer has seen fake breach notifications for companies like
Chegg, EA, Canva, Dropbox, Hulu, Ceridian, Shein, PayPal, Target,
Hautelook, Mojang, InterContinental Hotels Group, and Houzz. These
companies have suffered a data breach at one point in the past.

Following any of these links picked up by Google Alerts ends with
landing on pages with fake giveaways, download offers for unwanted
extensions and malware.

To make it harder to detect their malicious behavior, navigating to
the pages directly may not reveal the true nature of the campaign.

Users may instead see a “page not found” error or a text specifically
created to promote a fake data breach.

BleepingComputer found on a hacked website a directory
(penartdesigner[.]com/ifcemva/) with about 2,000 text files like the
one above with specific keywords to promote a topic in search results.

All but one entry were last modified this year starting June 11, the
vast majority on June 15. The timestamp for the exception, which has
the oldest date, is July 31, 2018.

The information in the blobs of text was copied from public sources
and covers an extremely wide variety of subjects. Basically, the
fraudsters created this portfolio of files from scraping the internet
for issues or questions for which users needed an answer.

As for the topics, they are of the most diverse kind. From various
software products (note-taking, SDKs, street lighting design,
firmware, libraries) and DIY construction projects to oil vapes,
canine breeding, hardware issues, and teeth aligners.

Whenever someone searches for a certain topic, the scammer’s results
would rank higher in the results and have a better chance of being
accessed to start the redirect chain to nasty offers and content.

Apart from using compromised websites, scammers may also set up their
own pages. In many cases, they used Google Sites, a tool specifically
created for building web pages, to host their content.

Google Alerts links redirect to malware

If you use a Google Alerts or search engine link to arrive at one of
these fake data breach sites, the experience is very different
compared to going there directly.

Clicking on a Google link redirects users through multiple addresses
until the final one is reached. What is shown there depends on the
user's location.

On most occasions, we found that the fraudsters pushed unwanted
search-related extensions.

Fake Adobe Flash update notifications were also very common, asking
users to install the latest version of the player if they wanted to
access the content promised before the redirect.

These fake alerts popped up in both Google Chrome and Mozilla Firefox
web browsers. It should be noted that Flash Player will be deprecated
in December and current versions of the two browsers no longer support
it in the default configuration. Users can still turn it on manually
until the software is completely phased out.

We also found that one of the malicious links redirected to a fake
giveaway for iPhone 11 devices, claiming that it was set up by Google
as part of its "Membership Rewards" program.

To make this offer more believable, the notification also claimed that
the gift was "exclusively and only for Verizon Fios users" in the
region identified for the user. Getting the gift, though, requires
completing a survey, which is how the scammers make their money.

If surveys may not cause much damage and only waste a user's time, a
browser extension scam can pose a serious risk to your browsing
privacy and malware can also be delivered using this method.

Typically, extensions can read the pages you access and even modify
them; for this, legitimate ones approved in official repositories
inform the user and ask for their explicit consent. A malicious
extension, though, can skip this step and collect a user's interests
and sell them to interested parties.

Using spam pages to redirect users to pages that pose a risk is not a
new thing. BleepingComputer reported in September last year that
scammers used the same tactic to target users looking for ransomware

More information about the BreachExchange mailing list