Each time the infected WordPress page is loaded, the actual content is hidden behind the is.gd a, which in turn gets content from fake Google domain (in this case fonts[.] googlesapi[.] com).
According to digital forensics experts, the creation of this domain is not as recent as you might think, as it takes just over a year online. As for its appearance, the URL is very similar to the Google authentic used on many websites and could go unnoticed by any administrator.
Actually this malicious domain uses exactly the same characters as the legitimate Google Fonts URL, simply relocation an ‘s’, which makes it undetectable to the naked eye.
- Legitimate domain: fonts[.] googleapis[.]com
- Malicious domain: fonts[.] googlesapi[.]com
Another factor that plays in favor of this malicious domain is its apparent low use, as it has so far not been blacklisted by any VirusTotal partner company, a platform that provides information on current security risks.
It was also detected that this malicious domain was trying to load malware from a previous domain (wordprssapi[.]com), reported since 2017. This variant of malware is used for the theft of browsing cookies on websites that employ a specific marketing program.
Digital forensics specialists mention that, in the first instance, the malicious code checks whether the cookie name_utmzz already exists, using the document.cookie.indexOf property. It then makes sure that the visitor is not a common robot, such as Googlebot.
According to the digital forensics specialists from the International Institute of Cyber Security (IICS), even if the fake domains found in this campaign were legitimate, sending cookies is always a warning sign for website owners, as these records should be considered as personal information that should not be shared.
Using fake domains with characters similar to those of the legitimate domain is a very common attack variant, so it is recommended that website administrators exercise caution.