Is this a new Google scam?



  • Just today we needed a specific version of some software (TRWTF software that can't read or write other versions of itself) so searching Google for buying it. A link on a government website caught our eye. Clicking the link redirected it to a completely different site, selling it for $150 instead of the usual $1000-ish. That was automatic red flags so there was no way we are going to buy from that site, but still interesting for one reason. Copying and pasting the green URL resulted in a 404. Changing the name of the parameter from names returns the normal website.

    Google search link

    Has anyone else noticed these? I saw a similar thing on other sites. They all appear to be running Joomla, unsure of versions. Obviously "they" somehow go into the server and planted some settings in .htaccess and redirect "names" to a PHP file, that is then checking the referer and if it is not Google it simply returns 404 - I suspect to avoid detection.



  •  I had noticed similar things happening on other sites that were using things like Wordpress/TinyMCE/other popular cms or plugin with vulnerability.

    The thing is, would we want Google to start penalising URLs that behaved differently depending on the referrer? That would be a huge mess, and likely not something they'd do anyway as it would affect the web stats service they offer.

    Oh, on a side note, as you spotted it first, it's your civic duty to notify the site they've been compromised :)



  • @ASheridan said:

    Oh, on a side note, as you spotted it first, it's your civic duty to notify the site they've been compromised :)
     

    Estimated results:

    WHY DID YOU HACK OUR SITE

    YOU CAN'T DO THIS

    WE'LL SUE



  • Wow... never seen any of these. According to Chrome, the site .gov.au sends a 302 with the Location header poiting to the scammer's site. Nice!

    So, if you tell them they were hacked, please post their answer here.



  • Actually, I do want Google to punish people who attempt to deceive Google.



  • @dhromed said:

    Estimated results:

    WHY DID YOU HACK OUR SITE

    YOU CAN'T DO THIS

    WE'LL SUE

    Considering it's a website run by the Queensland Government, it wouldn't surprise me if they did that and then shut it down due to cost cutting measures so that Can Do Campbell and co can have another pay rise.



  • @ubersoldat said:

    Filed under: oh! it's Powered by PHP

     



  • Which link is supposedly the one that was hacked? This one: www.qraa.qld.gov.au/ works fine regardless of my referrer.

    Oh wait I see what you're talking about now. Huh.



  • @Douglasac said:

    @dhromed said:

    Estimated results:

    WHY DID YOU HACK OUR SITE

    YOU CAN'T DO THIS

    WE'LL SUE

    Considering it's a website run by the Queensland Government, it wouldn't surprise me if they had you arrested for hacking their website.
    FTFY

     



  • @blakeyrat said:

    Which link is supposedly the one that was hacked? This one: www.qraa.qld.gov.au/ works fine regardless of my referer.

    Oh wait I see what you're talking about now. Huh.

     

    FTFY. ;)

     



  • Bugger, all the links return 404 now. Didn't get to call them out on the shananagans! And overnight too, wow!



  • @Zemm said:

    Bugger, all the links return 404 now. Didn't get to call them out on the shananagans! And overnight too, wow!
    Just tried several of the links, they all still work for me.  I even tried some that are a few pages in.



  • @El_Heffe said:

    @Zemm said:

    Bugger, all the links return 404 now. Didn't get to call them out on the shananagans! And overnight too, wow!
    Just tried several of the links, they all still work for me.  I even tried some that are a few pages in.

     

    OK It must have been the free wifi stripping Referer headers - courtesy of the Queensland Government (Queensland Rail commuter train wifi). I'm at work now and indeed the scam is still active. I'll let them know. I have dealt (professionally) with other Queensland Government departments so that should give me some creditability!

     

     



  • @El_Heffe said:

    @Douglasac said:

    @dhromed said:

    Estimated results:

    WHY DID YOU HACK OUR SITE

    YOU CAN'T DO THIS

    WE'LL SUE

    Considering it's a website run by the Queensland Government, it wouldn't surprise me if they had you arrested for hacking their website.
    FTFY
    And then they'll try and have you and I arrested for making fun of them.



  • @ubersoldat said:

    So, if you tell them they were hacked, please post their answer here.
     

    I got a response that was non-WTF, thanking me for the heads up and a "++internets to you" and they have removed a 92k obfuscated PHP include, blaming Marketing for the choice of CMS and host.

    How boring. :-)

    Except giving me a "plus plus internets"!



  • @Zemm said:

    a "++internets to you"
     

    It means their IT folk are over-engineering premature optimizers with a pointless CS degree who can't get a job at a real IT firm.

    Probably.

    I'm good at drawing a full picture from a single word.



  • @Zemm said:

    I got a response that was non-WTF, thanking me for the heads up and a "++internets to you"
     

    LIES! Clueful Govt? Down under? Must be smoking a different set of kangaroos.

    Post response here. I demand to see evidence of this rare non-WTF communication from the public sector!



  • @Zemm said:

    You make me crazy when you talk talk talk talk talk like like like like like that that that that that
     

    Is that a transcript from the chorus of one of those R&B-ish popsongs from the past year?



  • @Mason Wheeler said:

    @blakeyrat said:
    Which link is supposedly the one that was hacked? This one: www.qraa.qld.gov.au/ works fine regardless of my reefer.

    Oh wait I see what you're talking about now. Huh.

    FTFY. ;)
    FTFY

     


  • BINNED

    @dhromed said:

    @Zemm said:

    a "++internets to you"
     

    It means their IT folk are over-engineering premature optimizers with a pointless CS degree who can't get a job at a real IT firm.

    Probably.

    I'm good at drawing a full picture from a single word.

    Using prefix increment is not premature optimization.

     



  • @topspin said:

    Using prefix increment is not premature optimization.
     

    Is that supposed to link to a page within the book?


  • BINNED

    @dhromed said:

    Is that supposed to link to a page within the book?
     

    Yes. Doesn't it work? (works for me, but who knows with those google links)
    Should be chapter/item 9, titled "9. Don't Pessimize Prematurely"


  • ♿ (Parody)

    @topspin said:

    @dhromed said:
    Is that supposed to link to a page within the book?

    Yes. Doesn't it work? (works for me, but who knows with those google links)
    Should be chapter/item 9, titled "9. Don't Pessimize Prematurely"

    Who can tell? It's all in German or something.



  • @dhromed said:

    Is that a transcript from the chorus of one of those R&B-ish popsongs from the past year?

    2008 actually and not R&B. That song came on when I was writing the OP.

    @Cassidy said:

    LIES! Clueful Govt? Down under?

    I can assure you, it's a surprise to me too! It only took another department six months to do a two week project, and it's still not complete.

    @dhromed said:

    It means their IT folk are over-engineering premature optimizers

    Or they are taking ++ as some sort of meme?



  • @Zemm said:

    It only took another department six months to do a two week project, and it's still not complete.
     

    Normality has resumed...


  • Discourse touched me in a no-no place

    @topspin said:

    Doesn't it work?
    Not working here either - just a blank page with, what I presume to be where the words should be, just highlighted sections. Is http://www.icodeguru.com/cpp/CPPCodingStandardsLiB/ch09lev1sec2.html more or less what you were linking to?



  •  Yes, that's what it is, and weird, it works here as well...



  • [url=http://books.google.com/books?id=mmjVIC6WolgC&pg=PT90&lpg=PT90&dq=Don%E2%80%99t+pessimize+prematurely&source=bl&ots=ccStKQfJWd&sig=CirZT0c8Hx06Iez8ytAYC6QRFrE&sa=X&ei=XaZkUI7ZFcXIsgbmv4CYBw&ved=0CFUQ6AEwBg#v=onepage&q=Don%E2%80%99t%20pessimize%20prematurely&f=false]s/.de/.com/[/url]



  • @topspin said:

    Using prefix increment is not premature optimization.
     

    This links to the normal book page, in german.

     @PJH said:

    Is http://www.icodeguru.com/cpp/CPPCodingStandardsLiB/ch09lev1sec2.html more or less what you were linking to?
     

     This links to a completely different site, but it's the right piece of text?

    @Xyro said:

    s/.de/.com/
     

    this links to the google main book page again, except in Dutch.

     

    Tested in Chrome as well.

    Maybe google disallows search-in-books for some countries?

     



  • @dhromed said:

    @Xyro said:
    s/.de/.com/
    this links to the google main book page again, except in Dutch.

    Interesting. I feel compelled to create a spreadsheet of the different behaviors we've seen so far cross-referenced with locale... But that's too much like real work, and avoiding that is the reason I'm hear in the first place. Solution failure.


  • BINNED

    @Xyro said:

    s/.de/.com/

    Duh. I tried to get rid of the German stuff and removed the "&hl=de". Totally forgot about the obvious TLD.

    @dhromed said:

    @topspin said:

    Using prefix increment is not premature optimization.
     

    This links to the normal book page, in german.

    Who knows what google does there, but it's probably location dependend. Similar to how I can't watch a kitten video on youtube because someone somewhere in the background plays a fracture of a second of something Sony thinks they own the copyright to.

    And yes, PJH's link had the right text to it, but without the chapter introduction.

     


Log in to reply