Save Your Marriage
Many of our readers know we discovered about two weeks ago that our content was being misused to poison Google searches. We’ve now determined that cybercriminals have been poisoning Google with content from LOTS of websites and blogs, not just ours. We stumbled upon another poisoned message when we started to dig into an interesting email that arrived into one of our honeypot accounts. The subject line reads “This Saves Your Marriage… Starting Today!”
This email has all the signs of being spam (at best) but is most likely malicious clickbait at worst. It came from the crap domain called immuneston[.]bid. In our experiences, no legitimate website uses the global top level domain called “.bid.” It took the Zulu URL Risk Analyzer seconds to see that malware was waiting at the end of the clickable links in the above email, and our favorite WHOIS tool informed us that the domain immuneston[.]bid had been registered on the same day the email was sent!
And then we started to wonder about the content in that malicious email. It almost felt like some infomercial calling upon all failing marriages to come to the altar of salvation. So we decided to Google the opening line that began with “when I first met Kelly…” and were very surprised by what Google returned! The first sentence showed up, word for word, on a couple dozen websites across the Internet. Here’s a screenshot of the top five returned links. We were able to easily confirm that the source of this content came from a man named Edward Lauraldale and posted on his site called “save the marriage .com.” But look at some of the other crap domains that this text also appeared on….
Someone has been posting Mr. Lauraldale’s content on lots of sites across the Internet, including:
- An eMarketing health and fitness sit
- Imtocopilla[.]cl (The official website for the municipality of Tocopilla, Chile)
- Pinterest accounts in Chile, France, and Spain (including a “funny height challenge” account)
- A sketchy shopping site that primarily sells nail/face products and is very poorly rated by ScamAdvisor.com (DO NOT VISIT IT!)
- A Facebook account that did something to violate their rules and the account was subsequently closed:
- A SUPER sketchy website called bostonbroker[.]info containing many pages of suspicious content. (This domain was registered on January 28, 2020.
This unusual list of websites also included San Michele Laboratory in Italy. (See the screenshot above.) This site especially caught our attention because our content was posted on about a dozen websites in Italy. We decided to search for this Italian website, called “laboratoriosanmichele[.]it.” (We DO NOT recommend that our readers EVER do this unless they are skilled in using various browsers! E.g. Doing this search using Chrome will actually SEND you to the website and possibly resulting in a malware infection, but Firefox will not.)
Again, we were surprised to discover that this Italian website also included a web page called “Costco Laptop Store Pickup!” VirusTotal.com easily confirmed that this bogus page had malware lying in wait to attack visitors’ devices….
All of this insanity confirmed to us that the manipulation of our content was a small part of a broad and extensive attack on citizens across the world by weaponizing the Google search engine. This has happened before, back in 2016 as we recall. Google now has a serious problem and it is very likely leading to malware infections on thousands of people’s devices. COVID-19 isn’t the only pandemic raging on the planet right now. We urge all our readers to be very cautious about the links they click!
By the way, since last week’s list of malicious websites on which we’ve found our content, we can add the following sites:
- New.stanko-volga[.]ru (hosted in Russia)
Daily Scam Home Page