Marzo, 2022

In a world that’s constantly changing, it’s important for Google Maps to give you the freshest, most up-to-date information possible — so you can know whether the restaurant down the street from you reopened or if your neighborhood grocery store has curbside pickup. One way we do this is through contributed content.

Every day we receive around 20 million contributions from people using Maps. Those contributions include everything from updated business hours and phone numbers to photos and reviews. As with any platform that accepts contributed content, we have to stay vigilant in our efforts to fight abuse and make sure this information is accurate. Thanks to a combination of machine learning and human operators, we continue to decrease the amount of content seen on Maps that is fraudulent or abusive – in fact, it’s less than one percent of all the content that is viewed on Maps. Today, we’re sharing more about how we kept irrelevant and offensive information off of Google Maps throughout 2021.

Keeping business information reliable

The world shifted throughout 2021 with the rollout of vaccines, updates to mask mandates, and new COVID variants. Our community of Maps users showed up in full force to update Google Maps with fresh information about their communities. In fact, throughout 2021, their contributions helped us add updated business information, such as a place’s hours of operation or its health and safety protocols, for 30% more businesses than in 2020.

But sometimes fraudsters try to update business information on Google Business Profiles with abusive edits. In 2021, we blocked more than 100 million of these edits from going live thanks to our continued advancements in machine learning models that improved our ability to catch bot activity and unearth suspicious activity patterns. Here’s a deeper look at the information we removed from Maps:

• Thanks to advancements in our technology, we identified and removed more than 7 million fake Business Profiles — more than 630,000 of which were reported directly to us.
• We stopped more than 12 million attempts from bad actors to create fake Business Profiles and nearly 8 million attempts from bad actors to claim Business Profiles that didn’t belong to them.
• Thanks to continued improvements in our machine learning, our technologies and teams disabled more than 1 million user accounts due to policy-violating activity, such as online vandalism or fraud.

Verifying photos, videos and reviews on Business Profiles

As the world reopened throughout 2021, people relied on Google Maps reviews to get the information they needed about places before visiting them — like what health and safety protocols were enforced or if there was outdoor dining and open spaces.

However, we also saw individuals and groups attempt to use fake reviews as a tactic to hurt local businesses — oftentimes spurred by public attention on differences in opinions. In 2021, to prevent violative content from appearing on Google Business Profiles, we put protections on over 100,000 businesses after detecting suspicious activity and abuse attempts. Here’s what else we did in 2021 in our efforts to keep the content in Google Maps reliable:

• We blocked or removed more than 95 million policy-violating reviews, over 60,000 of which were taken down due to COVID-related instances.
• We took down more than 1 million reviews that were reported directly to us.
• As a result of continued advancements in our machine learning, our technologies and teams blocked or removed more than 190 million photos and 5 million videos that were blurry, low quality, or violated our content policies.

Local knowledge that our global community contributes is a huge part of what makes Google Maps more than a navigation tool. We’ll continue to invest in keeping this information fresh and reliable so you can discover information about the world around you.

On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups’ activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.

We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

In this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and analyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these details 30 days after the patch release.

Campaign targeting news media and IT companies

The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.

Attacker-Owned Fake Job Domains:

• disneycareers[.]net
• find-dreamjob[.]com
• indeedus[.]org
• varietyjob[.]com
• ziprecruiters[.]org

Exploitation URLs:

• https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
• https[:]//varietyjob[.]com/sitemap/sitemap.asp

Campaign targeting cryptocurrency and Fintech organizations

Another North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.

Attacker-Owned Websites:

• blockchainnews[.]vip
• chainnews-star[.]com
• financialtimes365[.]com
• fireblocks[.]vip
• gatexpiring[.]com
• gbclabs[.]com
• giantblock[.]org
• humingbot[.]io
• onlynova[.]org
• teenbeanjs[.]com

Compromised Websites (Feb 7 – Feb 9):

• www.options-it[.]com
• www.tradingtechnologies[.]com

Exploitation URLs:

• https[:]//financialtimes365[.]com/user/finance.asp
• https[:]//gatexpiring[.]com/gate/index.asp
• https[:]//humingbot[.]io/cdn/js.asp
• https[:]//teenbeanjs[.]com/cloud/javascript.asp

Exploit kit overview

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

• Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
• In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
• The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
• Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

Example Exploit Kit:

• 03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685

The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from these activities. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.