New Google fonts attack on WordPress websites

A team of digital forensics specialists just reported the discovery of a fake Google domain that could trick any user who doesn’t pay sufficient attention to their online activities.

Following the report of security boulevard, this malicious domain abused, a URL shortener service, to inject these clipped addresses into the post table in the customer’s WordPress database.

Each time the infected WordPress page is loaded, the actual content is hidden behind the a, which in turn gets content from fake Google domain (in this case fonts[.] googlesapi[.] com).

According to digital forensics experts, the creation of this domain is not as recent as you might think, as it takes just over a year online. As for its appearance, the URL is very similar to the Google authentic used on many websites and could go unnoticed by any administrator.

Actually this malicious domain uses exactly the same characters as the legitimate Google Fonts URL, simply relocation an ‘s’, which makes it undetectable to the naked eye.

  • Legitimate domain: fonts[.] googleapis[.]com
  • Malicious domain: fonts[.] googlesapi[.]com

Another factor that plays in favor of this malicious domain is its apparent low use, as it has so far not been blacklisted by any VirusTotal partner company, a platform that provides information on current security risks associated with domain that are bought directly or through Auction. Hosting Foundry explains it here about, How Do Domain Auctions Works.

It was also detected that this malicious domain was trying to load malware from a previous domain (wordprssapi[.]com), reported since 2017. This variant of malware is used for the theft of browsing cookies on websites that employ a specific marketing program.

Digital forensics specialists mention that, in the first instance, the malicious code checks whether the cookie name_utmzz already exists, using the document.cookie.indexOf property. It then makes sure that the visitor is not a common robot, such as Googlebot.

If the checks are passed, JavaScript sends the visitor’s browser cookies to the malicious domain. It also generates a cookie with the name you verified earlier, “_utmzz”, which is set to expire in 1 day.

According to the digital forensics specialists from the International Institute of Cyber Security (IICS), even if the fake domains found in this campaign were legitimate, sending cookies is always a warning sign for website owners, as these records should be considered as personal information that should not be shared.

Using fake domains with characters similar to those of the legitimate domain is a very common attack variant, so it is recommended that website administrators exercise caution.