A sophisticated disinformation campaign is currently leveraging Microsoft Azure and OVH cloud subdomains, alongside Google search, to promote malicious websites and spam. This campaign targets Android users by delivering deceptive notifications that appear to offer updates on topics they have recently searched for, only to direct them to fraudulent websites disguised as legitimate infotainment articles.
Manipulated Search Results Trigger Misleading Notifications
Recently, Android users have reported receiving Google search notifications with the message, "new info related to [subject]," referring to a topic they had previously researched. However, instead of providing relevant information, these notifications lead to misleading search results that push users towards scam sites. These sites are often masked as articles offering intriguing or shocking updates on public figures.
The campaign’s tactics involve polluting search results with multiple sites hosted on cloud services like Microsoft Azure and OVH. These sites perpetuate disinformation by presenting fabricated stories about celebrities, thus tricking Google's algorithms into sending notifications to users who had previously searched for these individuals.
For example, one such notification claimed to provide new information about actor Harry Connick, Jr., which, upon investigation, turned out to be part of a widespread disinformation campaign. The message, "Unraveling The Truth Behind Harry Connick Jr.'s Stroke: A Journey Of Resilience And Recovery," was repeated across multiple fraudulent sites, despite no credible sources confirming the claims.
Disinformation Campaign Targets Multiple Public Figures
This campaign is not limited to a single individual but spans across various public figures, including Bill Paxton, Carol Burnett, Eminem, Tom Hardy, Randy Travis, Sinbad, Kim Porter, and Megan Fox. The disinformation often revolves around false reports of strokes or other health issues, further spreading rumours under the guise of news.
Malware and Spam Propagation via Redirects
The true intent of these fraudulent sites is not merely to spread false information but to redirect users to malicious websites. When accessed without an ad blocker, these pages often push users through a series of redirects, ultimately leading them to sites that distribute malware, spam, and counterfeit software.
One example involves a URL hosted on Microsoft's Azure blob storage that redirects users to a dubious domain promoting a fake "Eclipse Ad Blocker" Chrome extension. Other sites linked to this campaign were observed running ads that falsely claimed to detect viruses on users' devices, urging them to download fake antivirus software.
In addition to pushing spammy ads, some of these websites embed ad-serving scripts or inject obfuscated scripts designed to further manipulate users. The aim is to exploit the trust users place in cloud-hosted domains and redirect them to harmful content.
To Sum Up
To protect yourself from falling victim to such disinformation campaigns, it is essential to exercise caution when clicking on search results, especially those making bold claims about public figures that lack verification from credible news sources.
Cyber security experts continue to monitor this campaign and recommend that users keep their devices secure by installing reliable security software and remaining vigilant against suspicious notifications or search results.
