It has been 11 years since the Google Doodle Pac-Man game was published. Many of us may remember this Google Doodle as it was the first interactive Google Doodle made. Unfortunately, like many fun things, there are those who see opportunity and take advantage of that. We recently noticed DNSWatch traffic blocking googlepacman[.]net. After some review, it was apparent that the website was Domain Parking by using the name ‘Google’ without any real association to Google or the Google Doodle Pac-Man game. It only consists of a GIF of the game and description found at the actual Google Doodle Pac-Man page, and some other game listings not related to Pac-Man.
The intention is to get the user to click on the Pac-Man GIF as one could reasonably assume that clicking on it will bring you to the game. It doesn’t. A click will redirect you to one of many domains, each requesting that you allow access for some reason or another. One example of a redirect we came across requested the enablement of push notifications to play a YouTube video displayed on the page. In the case with the image below, it is for verifying you are not a bot.
As is a default behavior of many of us, we clicked ‘Block’.
Clicking ‘Block’ led to a second attempt for the user to click on an apparent CAPTCHA. The page would then lead to another redirect, and again attempt to get the user to enable push notification. If that failed, it would normally redirect to google[.]com.
We reversed course to test out the outcome if we had enabled push notification. The image below shows it produced many junky ads, as expected.
The push notification ads would pop up every few minutes. We enabled notifications for several domains, so we continued to be bombarded by the notifications. To find out the intended outcome of these notifications we clicked on a few of them. They behaved in two ways. One was to redirect to a different domain and again request the user to enable push notifications. The other would redirect the user to install a Potentially Unwanted Program (PUP). Multiple times we were directed to install TotalAV Windows Antivirus software.
There is plenty of information online to show that many people have been directed to install TotalAV under false pretenses or in confusing circumstances, as we see in this example. Once installed, the software may produce a false positive to persuade the user to purchase their software. We found another example of Norton Antivirus software being peddled.
The notifications are in other forms as well as we can see the bottom one is pornographic clickbait. A click unsurprisingly leads to an adult website.
The main issue with Chrome notifications is that the URL is not visible if you hover over the notification. It isn’t obvious to the user if they are being directed to the content being advertised. In the example presented with googlepacman[.]net, the push notifications led mostly to PUPs and more intrusive ads. While those are not harmless, there is potential for these notifications to be used in a way to direct users to install Trojan software or other malwares.
The process of removing these push notifications is quick. In Chrome settings, go to ‘Privacy and Security’ and click ‘Site Settings’. You will see the most recent configured domains at the top of the page, and further down an option to click ‘View permissions and data stored across sites’ to see all the domains. After clicking on one of the domains, change Notifications to Block.
Malicious/suspicious domains we were redirected to from the googlepacman[.]net domain:
premiumbros[.]com
quicklisti[.]com
kokotrokot[.]com
allowsuccess[.]org
time4news[.]net
aloha-news[.]net
besty-deals[.]com
Other suspicious domains found in a PCAP analysis:
www1.news-back[.]org
inpagepush[.]com
youradexchange[.]com
feed.r-tb[.]com
news-easy[.]org
t.ocmhood[.]com
t.r-tb[.]com
bigrourg[.]net
my.rtmark[.]net
data-px[.]services
ny-t.r-tb[.]com
brandlle[.]com
qubscribe[.]com