Goggle on Google?

Advertisers of rogue antispyware and their cohorts strike again! This time using the typosquatting method that oh so easily dupes the unwary keyboard thumper. Miss an ‘O’ and type a ‘G’ instead and you may just get more files that what you bargained for.

Note: Goggle.com is currently being leeched. Standby for updates.


Update (Ivan, 16 November 2005 11:40:51)

We have reported a very similar incident before that targets a typo on GOOGLE, where users type and hit enter on GOOGKLE instead of GOOGLE, mis-typing the letter “K”, which as it happens, is very conveniently situated just before the letter “L” in QWERTY keyboards… And before the user is able to spell G-O-O-G-L-E (correctly, this time), vast amounts of spyware and greyware have already been downloaded and executed in the system!… Sinister!



Update (X10, 16 November 2005 18:10:41)

Yet another aggressive advertising strategy riding on the typosquatting technique. A mistaken key, could lead the client into downloading rogue antispyware and installing them into the system.

Upon entering www.goggle.com, the user will be greeted with this pop-up (if the ActiveX options are activated):




If the ActiveX is triggered, then it will install the SpyBouncer, a rogue antispyware.

And another pop-up will appear, which when clicked will install the Spyspotter from his location: http://download.spyspotter.com/spyspotter/spsp2995310.01noopt/spyspotterwebinstall.exe. (Spyspotter is another rogue antispyware.)


In classic case of social engineering to fool the user, the site displays an animation where it pretends to scan the user’s system for spyware. And if ActiveX is not enabled, you will be notified by your browser of this ActiveX scripting attempt (tested on Internet Explorer 6.0)




And when you click that scanning portion, or the “Click Here” hyperlink, you will be prompted to Open or Save the installer file from: http://www.spybouncer.com/gsetup.exe

There are also other advertisements in the site:

This is the one of them:




This will lead the user to: http://www.dvdwizardpro.com/index.html (no auto installations here)

And here’s another one:




Which will lead the user to: http://www.errorguard.com/index-rev.html?a=714-23

In the continuing thrust for aggressive advertising by spyware groups, their clients and their affiliates, sites like these have been born. Continually preying on unsuspecting users… To err is human after all, and if those errors could bring them the profit they want, then they’re doing it.

Note: Thanks to Maria Patricia Revilla for checking with our spyware cleanup process.