A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains as well as Google search to promote malware and spam sites.
Android users receive a "new info related to..." Google search notification about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles.
Polluted search results trigger a mobile notification
No one knows who is behind the quote, "If you tell a lie big enough and keep repeating it, people will eventually come to believe it," but it seems to have fueled the disinformation campaign that has emerged lately.
Earlier this week I was greeted with a Google search notification on my Android phone stating, "new info related to Harry Connick, Jr," the Find Me Falling actor I'd recently looked up.
https://www.bleepstatic.com/images/n...on-connick.jpg
Google search mobile notification for Harry Connick Jr "stroke"
On clicking the notification, I saw not once but several websites repeating the same message: "Unraveling The Truth Behind Harry Connick Jr.'s Stroke: A Journey Of Resilience And Recovery."
The reason Google sent out this "new info related to" notification in the first place? Google search results have been polluted by dozens of domains hosted on cloud services like Microsoft Azure blob storage and OVH which are perpetuating this disinformation.
https://www.bleepstatic.com/images/n...ick-stroke.jpg
Several Azure and OVH-hosted sites spreading disinformation
When Google detects several such websites publicizing "new info" related to a public figure, its algorithms possibly treat it as that and notify users who've previously looked up an entity.
Ironically, many of these articles discuss a "rumor" realted to the celebrity's health, and in turn spread that very rumor as no other credible news sources seem to be making such claims about Harry Connick, Jr.
BleepingComputer reached out to Harry Connick, Jr's representatives in an attempt to make them aware of this disinformation campaign.
We further discovered that this campaign was not limited to one personality and targeted several public figures, including Bill Paxton, Carol Burnett, Eminem, Tom Hardy, Randy Travis, Sinbad, Kim Porter, and Megan Fox.
Sites redirect visitors to malware, spam
These unsubstantiated articles either claim that the named celebrities have recently suffered a "stroke" or conclude that there is no "official" confirmation about the named personality suffering from such health conditions.
That is, when these articles are viewed with an ad blocker turned on.
Otherwise, the sole purpose of these webpages is to redirect visitors through a series of hoops to online properties that ultimately push malware, spam, and counterfeit software.
For example, the link at the following address, hosted on Microsoft's *.blob.core.windows.net
hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/harry-connick-junior-stroke.html
was seen redirecting to a dubious videoadblocker[.]pro domain asking users to install an "Eclipse Ad Blocker" Chrome extension:
https://www.bleepstatic.com/images/n...-extension.jpg
Domains pushing dubious Chrome extensions
We observed similar ads running on other domains, with some pushing fake "Norton" and "McAfee" virus-detected alerts.
https://www.bleepstatic.com/images/n.../norton-ad.png
Fake "Adobe Flash Player" ad pushed by these domains
We observed many of these domains embedded ad-serving scripts like hxxps://moremashup[.]com/js/ads.js
Some of these would go a step further and inject one-liner obfuscated scripts on the page, e.g. from hxxps://satisfactorymetalrub[.]com/8438b16ee31e72c66f3abda855a57488/invoke.js
https://www.bleepstatic.com/images/n...ted-script.jpg
Obfuscated one-liner JavaScript injected by embedded scripts
https://www.bleepingcomputer.com/new...n-and-malware/