Google Alerts remains a hotbed of fraud and malware, as malicious agents increasingly abuse the service, targeting promotion of malicious websites. While Google Alerts has been abused for a long time, BleepingComputer has noticed significant increase in malicious activity in the last two weeks.
For example, the BleepingComputer team used Google Alerts for monitoring of various terms related cyber attacks, security incidents, malware and more. In one particular Google Alert, almost every new article posted by the service on April 19 led to fraud or malware, with two such cases being listed below.
When you open these notifications, instead of being redirected to a legitimate website, you are redirected through a number of sites until you reach promoting malware, adult fake sites, fake dating apps, adult games, giveaway scams and lotteries, as well as unwanted extensions browser.
Unfortunately, even if you set Google's service to show you the best results, fraud alerts often "slip" only to be detected when you open them.
How do Google Alerts scams work?
To trick Google into believing that they are legitimate sites and not scams, malicious agents use a black hat Search Engine Optimization (SEO) called «Cloaking».
Cloaking is when a site displays different content to visitors than search engine spiders. Cloaking allows the site to look like plain text or a standard blog post when Google search engine spiders visit the page, but performs malicious redirects when a user visits the site from a Google redirect.
For example, if you or the spider Googlebot visit the website directly, the site will display one text wall with high keyword density for the terms they are trying to rank. Below, you can see that malicious agents use a lot of keywords related to cybersecurity, to target well in this category.
However, when a user accesses the site via a Google Alert URL, they will be redirected to malicious sites that promote malware or scams.
For example, when opening one of the Google Alerts links in Firefox, the link led the BleepingComputer team to a software promotion page called YoutubeToMP3, which has 24/69 VirusTotal scans. After installing the malware, one headless Chromium browser starts in the background performing suspicious activity while using 27% of the CPU.
As Google never redirects to malicious websites, the webpage is added to the search index and a Google Alert is disabled for anyone who monitors these keywords. Those who receive the notification will not know that the URL is malicious until they visit the site or until their installed antivirus blocks that URL.
Source of information: bleepingcomputer.com