• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • February 26th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

GoogleUserContent CDN Hosting Images Infected with Malware

July 20th, 2018 Waqas Security, Malware 0 comments
GoogleUserContent CDN Hosting Images Infected with Malware
Share on FacebookShare on Twitter

The malware targets trusted Google sites.

The metadata fields of images uploaded on trusted Content Delivery Network (CDN) of Google have been embedded with malicious code by hackers to compromise websites. This approach is indeed damaging because users never scan images for malware.

The injected malware uses EXIF (Exchangeable Image File) format to hide the code and the compromised images are available on official Google sites including Google+ social network, GoogleUserContent sites, and blogger forums such as Blogger.com.

A similar scheme was previously observed on GitHub and Pastebin where cybercriminals managed to hide malware in the uploaded images. But the latest campaign surpasses its predecessors. The campaign was discovered by cyber-security firm Sucuri and the findings were disclosed on Thursday. It is worth noting that Sucuri is now acquired by GoDaddy.

Security researcher Denis Sinegubko at Sucuri identified the malware distribution scheme, which was using GoogleUserContent CDN to host one of the infected images. So when any such image is downloaded, the malware will immediately infect the site. The attacker only has to wait for a report from the infected images and then launch attacks against the sites that have been compromised.

Because of this, it is indeed possible for sites outside of the GoogleUserContent system to be infected, assessed Sinegubko.

In his report published on Wednesday, Sinegubko wrote that the identified campaign’s focus was on stealing PayPal security tokens with the intention of bypassing PayPal authentication process.

Hackers loaded an image that was hosted by Google’s CDN and using steganography technique, they managed to embed malware in it. What happens in steganography is that hackers extract the file and hide malicious code in image’s User Comment EXIF metadata field. The code used in this campaign is a Base64-encoded string.

When this string is decoded more than once, it transforms into a script that can upload a predefined web shell on the targeted server with other files. The web shell was now capable of defacing the server and the attacker could receive the addresses of sites that were exploited successfully.

GoogleUserContent CDN Hosting Images Infected with Malware

Executing code from EXIF data (Image credit: Sucuri)

Sinegubko claims that the hiding of malware into the EXIF files wasn’t too concerning for him; what was far more worrying was that hackers were utilizing GoogleUserContent CDN to fulfill their nefarious objectives. It is quite a novel idea that definitely will give restless nights to security researchers.

The reason for concern is that there isn’t any standard way to notify Google about the infected image because the company has implemented a reporting process for copyright infringement and not for security-related issues. Sinegubko writes:

“Google has many tools to remove content but it’s not obvious how to report malware in images. Most of their tools require providing links to original posts, pages, or comments that contain the infringing content. The image here is not a part of some known public content.”

The source of the malware upload couldn’t be identified by the researchers. “It’s hard to say where the images originate from, as their URLs are anonymized and have the same format,” explained researchers at Sucuri.

  • Tags
  • Bithub
  • GoDaddy
  • Google
  • internet
  • Malware
  • Paypal
  • security
  • Sucuri
Facebook Twitter LinkedIn Pinterest
Previous article Top 10 vulnerable airports where your device can be hacked
Next article Hackers attack Russian bank to steal $1m using an outdated router
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Botnet Abusing Bitcoin Blockchain To Evade Detection

Botnet Abusing Bitcoin Blockchain To Evade Detection

Mozilla releases Firefox 86 equipped with ‘Total Cookie Protection’

Mozilla releases Firefox 86 equipped with ‘Total Cookie Protection’

Deleted Keybase chat images retrievable on Windows, macOS, Linux

Deleted Keybase chat images retrievable on Windows, macOS, Linux

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Cryptocurrency exchange in liquidation due to hack, hacked again
Hacking News

Cryptocurrency exchange in liquidation due to hack, hacked again

5G Promises to Increase Adoption of Cryptocurrency Investing
Technology News

5G Promises to Increase Adoption of Cryptocurrency Investing

Botnet Abusing Bitcoin Blockchain To Evade Detection
Cyber Crime

Botnet Abusing Bitcoin Blockchain To Evade Detection

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us