Another fake Google domain found infecting systems with malware

• The malicious Google domain is named as fonts[.]googlesapi[.]com.
• The purpose of the fake domain is to distribute malware that collects browser cookies.

Researchers have uncovered a new fake Google domain that looks pretty legitimate to unsuspecting users.

What are its characteristics?

As reported by Sucuri.net, the malicious Google domain is named as fonts[.]googlesapi[.]com. This malicious domain abuses the URL shortener service "is.gd" to inject posts table of the client’s WordPress database.

When the infected WordPress gets loaded, the actual content hides behind the is.gd URL shortener and instead obtains the content from the fake Google domain: fonts[.]googlesapi[.]com.

Characteristics of the malware

The malware executed by the fake Google domain is used to steal referral traffic cookie data from websites that are using a specific popular affiliate marketing program.

Before it initiates its attack process, ‘The malicious code first checks to see if the cookie name _utmzz already exists using the document.cookie.indexOf property. It then checks to make sure that the visitor is not a common crawling bot, e.g Googlebot.’

Once the checks are passed, the malware collects the visitor’s browser cookies and send them to the malicious domain.

Red flags

The researchers noted some red flags on the domain which makes it look like a fraud website.

The registration date of the domain bears a close resemblance to the legitimate Google URL, which at a first glance could easily go unnoticed by a webmaster.

The fake domain uses the same exact characters as the legitimate Google Fonts URL, with a slight rearrangement is letters. The fake domain is ‘fonts[.]googlesapi[.]com’ which is quite different from the original one ‘fonts[.]googleapis[.]com’.

The interesting aspect of this malicious domain is its apparent low usage. Due to this, the domain was yet to be blacklisted by VirusTotal.