A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains as well as Google search to promote malware and spam sites.
Android users receive a “new info related to…” Google search notification about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles.
Polluted search results trigger a mobile notification
No one knows who is behind the quote, “If you tell a lie big enough and keep repeating it, people will eventually come to believe it,” but it seems to have fueled the disinformation campaign that has emerged lately.
Earlier this week I was greeted with a Google search notification on my Android phone stating, “new info related to Harry Connick, Jr,” the Find Me Falling actor I’d recently looked up.
On clicking the notification, I saw not once but several websites repeating the same message: “Unraveling The Truth Behind Harry Connick Jr.’s Stroke: A Journey Of Resilience And Recovery.”
The reason Google sent out this “new info related to” notification in the first place? Google search results have been polluted by dozens of domains hosted on cloud services like Microsoft Azure blob storage and OVH which are perpetuating this disinformation.
When Google detects several such websites publicizing “new info” related to a public figure, its algorithms possibly treat it as that and notify users who’ve previously looked up an entity.
Ironically, many of these articles discuss a “rumor” realted to the celebrity’s health, and in turn spread that very rumor as no other credible news sources seem to be making such claims about Harry Connick, Jr.
BleepingComputer reached out to Harry Connick, Jr’s representatives in an attempt to make them aware of this disinformation campaign.
We further discovered that this campaign was not limited to one personality and targeted several public figures, including Bill Paxton, Carol Burnett, Eminem, Tom Hardy, Randy Travis, Sinbad, Kim Porter, and Megan Fox.
Sites redirect visitors to malware, spam
These unsubstantiated articles either claim that the named celebrities have recently suffered a “stroke” or conclude that there is no “official” confirmation about the named personality suffering from such health conditions.
That is, when these articles are viewed with an ad blocker turned on.
Otherwise, the sole purpose of these webpages is to redirect visitors through a series of hoops to online properties that ultimately push malware, spam, and counterfeit software.
For example, the link at the following address, hosted on Microsoft’s *.blob.core.windows.net
hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/harry-connick-junior-stroke.html
was seen redirecting to a dubious videoadblocker[.]pro domain asking users to install an “Eclipse Ad Blocker” Chrome extension:
We observed similar ads running on other domains, with some pushing fake “Norton” and “McAfee” virus-detected alerts.
We observed many of these domains embedded ad-serving scripts like hxxps://moremashup[.]com/js/ads.js
Some of these would go a step further and inject one-liner obfuscated scripts on the page, e.g. from hxxps://satisfactorymetalrub[.]com/8438b16ee31e72c66f3abda855a57488/invoke.js
Some of the URLs associated with this disinformation campaign identified by BleepingComputer are listed below:
hxxps://cancerresearch.blob.core.windows[.]net/breakthrough/carol-burnett-stroke.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork2/bill-paxton-wife-louise-newbury-death.html hxxps://applebulletin.blob.core.windows[.]net/bergenews5/is-randy-travis-dead.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/tarrare-death-cause.html hxxps://newscentralstation.blob.core.windows[.]net/channel10/steve-harvey-accident.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/who-is-tom-hardy-married-to.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/mikayla-campinos-leakd.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork5/sinbads-children.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/was-kim-porter-mixed.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/donnie-and-jenny-divorce-2024.html hxxps://sopnews.blob.core.windows[.]net/jazz8/michael-c-hall-height.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/did-chris-change-his-name.html hxxps://flashnews2.s3.uk.io.cloud.ovh[.]net/harry-connick-jr-stroke.html hxxps://ashghali[.]com/automotive8/did-harry-connick-jr-have-a-stroke.html hxxps://globalinternationalnews.blob.core.windows[.]net/globalinternationalnews3/harry-connick-jr-stroke.html hxxps://interestnews.blob.core.windows[.]net/topictribune3/harry-connick-jr-stroke.html
Readers should refrain from visiting search results pointing to aforementioned URL structures particularly when these appear to contain bold, unverified claims about public figures and entities which are otherwise not mentioned by credible sources.