Monday, December 23, 2024

Azure domains and Google abused to spread disinformation and malware

Must read

A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains as well as Google search to promote malware and spam sites.

Android users receive a “new info related to…” Google search notification about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles.

Polluted search results trigger a mobile notification

No one knows who is behind the quote, “If you tell a lie big enough and keep repeating it, people will eventually come to believe it,” but it seems to have fueled the disinformation campaign that has emerged lately.

Earlier this week I was greeted with a Google search notification on my Android phone stating, “new info related to Harry Connick, Jr,” the Find Me Falling actor I’d recently looked up.

Harry Connick Jr "stroke" Google search mobile notification
Google search mobile notification for Harry Connick Jr “stroke”
(BleepingComputer)

On clicking the notification, I saw not once but several websites repeating the same message: “Unraveling The Truth Behind Harry Connick Jr.’s Stroke: A Journey Of Resilience And Recovery.”

The reason Google sent out this “new info related to” notification in the first place? Google search results have been polluted by dozens of domains hosted on cloud services like Microsoft Azure blob storage and OVH which are perpetuating this disinformation.

Several Azure and OVH-hosted sites spreading disinformation
Several Azure and OVH-hosted sites spreading disinformation (BleepingComputer)

When Google detects several such websites publicizing “new info” related to a public figure, its algorithms possibly treat it as that and notify users who’ve previously looked up an entity.

Ironically, many of these articles discuss a “rumor” realted to the celebrity’s health, and in turn spread that very rumor as no other credible news sources seem to be making such claims about Harry Connick, Jr.

BleepingComputer reached out to Harry Connick, Jr’s representatives in an attempt to make them aware of this disinformation campaign.

We further discovered that this campaign was not limited to one personality and targeted several public figures, including Bill Paxton, Carol Burnett, Eminem, Tom Hardy, Randy Travis, Sinbad, Kim Porter, and Megan Fox.

Sites redirect visitors to malware, spam 

These unsubstantiated articles either claim that the named celebrities have recently suffered a “stroke” or conclude that there is no “official” confirmation about the named personality suffering from such health conditions.

That is, when these articles are viewed with an ad blocker turned on.

Otherwise, the sole purpose of these webpages is to redirect visitors through a series of hoops to online properties that ultimately push malware, spam, and counterfeit software.

For example, the link at the following address, hosted on Microsoft’s *.blob.core.windows.net 

hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/harry-connick-junior-stroke.html

was seen redirecting to a dubious videoadblocker[.]pro domain asking users to install an “Eclipse Ad Blocker” Chrome extension:

Domains pushing dubious Chrome extensions
Domains pushing dubious Chrome extensions (BleepingComputer)

We observed similar ads running on other domains, with some pushing fake “Norton” and “McAfee” virus-detected alerts.

Norton
Fake “Norton” virus-detected alerts (BleepingComputer)
Fake "Adobe Flash Player" ad
Fake “Adobe Flash Player” ad pushed by these domains
(BleepingComputer)

We observed many of these domains embedded ad-serving scripts like hxxps://moremashup[.]com/js/ads.js

Some of these would go a step further and inject one-liner obfuscated scripts on the page, e.g. from hxxps://satisfactorymetalrub[.]com/8438b16ee31e72c66f3abda855a57488/invoke.js

Injected obfuscated one-liner script
Obfuscated one-liner JavaScript injected by embedded scripts (BleepingComputer)

Some of the URLs associated with this disinformation campaign identified by BleepingComputer are listed below:


hxxps://cancerresearch.blob.core.windows[.]net/breakthrough/carol-burnett-stroke.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork2/bill-paxton-wife-louise-newbury-death.html
hxxps://applebulletin.blob.core.windows[.]net/bergenews5/is-randy-travis-dead.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/tarrare-death-cause.html
hxxps://newscentralstation.blob.core.windows[.]net/channel10/steve-harvey-accident.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/who-is-tom-hardy-married-to.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/mikayla-campinos-leakd.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork5/sinbads-children.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/was-kim-porter-mixed.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/donnie-and-jenny-divorce-2024.html
hxxps://sopnews.blob.core.windows[.]net/jazz8/michael-c-hall-height.html
hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/did-chris-change-his-name.html
hxxps://flashnews2.s3.uk.io.cloud.ovh[.]net/harry-connick-jr-stroke.html
hxxps://ashghali[.]com/automotive8/did-harry-connick-jr-have-a-stroke.html
hxxps://globalinternationalnews.blob.core.windows[.]net/globalinternationalnews3/harry-connick-jr-stroke.html
hxxps://interestnews.blob.core.windows[.]net/topictribune3/harry-connick-jr-stroke.html


Readers should refrain from visiting search results pointing to aforementioned URL structures particularly when these appear to contain bold, unverified claims about public figures and entities which are otherwise not mentioned by credible sources.

Latest article