Table of Contents
BLUF:
It appears that Ghana, Cambodia, and Brazil’s official government domains host probable lure articles.
Intro:
Lure articles are everywhere. It’s interesting how you might not notice until you’re in the Cyber career field. Before this I used to just skim search results and write off the possibly-malicious results as bad indexing on the part of Google. As I research more into SEO and lure terms/articles, I start to realize that it might not be bad indexing on Google’s part, but malicious actors using good for bad.
Background:
I’ve previously discussed how the Google Keyword Planner could be used to generate search terms to find Gootkit lure articles (https://malasada.tech/gootkit-search-term-research/). I observed the content for this document while researching how useful Google Keywords are for finding Gootkit lure articles. I was hoping to find Gootkit lure articles, but I may have stumbled on to other suspicious activity.
Content:
I’m supposed to be working on my Gootkit Crawler project, but I keep getting distracted with side quests. To get started, I’m researching Google Keyword Planning again. I’m posting snips so you can follow along if you want to. Once you get your free Google Ads account, log in and click Tools >> Keyword Planner >> Discover new keywords.
It’ll load a form for you to plug in your keywords as seen below.
I’ve noticed that the results are like a mini search engine result for keywords. I don’t have a snip, but just putting in “enterprise agreement” returns a lot of creative results. This made me wonder what would happen if I loaded up actual lure titles collected straight from the Cyber-Frontlines.
I’ve been collecting Gootkit lure article titles in my private repo, so I’ll be plugging in those little bangers. You can hand-jam them if you like run em side-by-side. The form only accepts 10 lines, so pick your most adorn 10.
Here’s what it looks like below. I know I said they accept 10, but for some reason they removed “At&T Apple Iphone Exclusivity Agreement”. Perhaps they no like you make AT&T/Apple articles. We’ll research that in a future podcast.
Here’s the results below. I selected a keyword idea I selected semi-randomly (I have a childhood dream of creating a website that hosts nothing but simple pasture lease agreement templates for every single use case).
I searched Google for that specific term “simple pasture lease agreement template” as seen on tv below.
You’ll have to scroll past the PDFfiller stuff to get to the goods (note to editor: we should investigate PDFfiller; do they have malicious lures or are they just spam lures?). The lure result is number 8.
I observe suspicious activity. I’ll try to articulate them. The domain ends with “gov.gh”. That is not weird by itself, because it may be in their interest to host lease agreement templates if that is something important for their citizens.
The link isn’t to our search term “simple pasture lease agreement template”; the link is to the article “Foam Helmet Template”. Normally this wouldn’t be weird if the result’s article and link were closely related, but the only thing the two phrases have in common is the word “template”. This indicates that it may be a lure domain for template keywords.
The excerpt (the highlighted text) contains what appears to be other article titles. Normally, the excerpt will contain a summary of the article as seen below. I always find it suspicious when the excerpt contains other article titles instead of a summary – and this is especially so when the article titles appear to be unrelated.
The last thing to articulate is the “whole Airman” concept where we don’t base our determination on one accomplishment, but by a compilation of traits. I don’t assess that templates for foam helmets, pasture lease agreements, and weekly marketing reports are such hot commodities that the government of Ghana would host them on an official page.
The next step is to dork it. You can view all of the articles for the domain using the dork in the snip below. It becomes more apparent that these are lure articles because it just seems bizarre for a gov site to host these topics.
It isn’t listed below, and I can’t recall how it came to this article, but during my initial evaluation I focused on the term “usps eddm template”. Here’s where it gets interesting (kinda). When I search for it on Google in Any Run, it isn’t listed. I suspect the actor has a targeted campaign that doesn’t include the exit node that Any Run uses. I don’t have a snip of it, lol so trust me. I had to resort to some Tom-foolery. A constraint is that your request to the resource needs to have Google as the referrer. You could craft this request with Postman or Insomnia, but the easiest way might be to inject a link into a Google page. In the snip below, you can see I’m in the process of cyber-crafting my own link so that I can click it.
This is the end result. A simple link to click.
After clicking the link, it takes us to the gov URL before forwarding us to another site.
It later takes us to a dogpark site that appears to host other lure articles as seen on the right.
I didn’t get much time to review this page before it forwarded me to aliexpress for a ZCWA Handheld Carpet Cleaner.
Here’s the Any Run link if you want to take a gander. https://app.any.run/tasks/ad4470c0-3e55-4a95-9a32-2de9b8abf7ec
Next we’ll dork for any other gov sites that have “USPS Template”-themed lures. We’ll use the dork “site:*.gov.* usps template”. After we scroll past the images, we can see USPS-themed articles from Ghana, Cambomdia (KH), Bangladesh, Colombia, and Brazil.
I suspect the follow-on stages could have been used for something other than aliexpress products, but I’d have to research it further. We’ll save that for the next time and conclude.
The list of article titles leave us with the question: Why are so many foreign governments so interested in the USPS templates?
Summary in short:
- It appears that foreign government subdomains may have been compromised.
- Those foreign government subdomains appear to be hosting lure articles.
- The lure articles have been observed forwarding users to an intermediary generic page.
- That page forwards the users to an aliexpress product page.