Wednesday, December 6, 2023

Skype Users Be Aware : Abusing Interstitial Malcrafted Search Pages on Skype

If you are a Skype user be aware of Baidu spam links, you may get from anyone of your Skype contacts.Do not click on those links, if you click on it you may end up with fake Articles.

Links look’s like this

After Google, Baidu is one of the most popular search Engine for websites, also it offers many other web services and it shouldn’t be involved in span campaigns.

How this Spam links work

These are done by the malicious people to abuse Baidu search results. Baidu don’t use to link site’s directly, instead links to interstitial redirect pages. Which tell’s Baidu links have been clicked in their search engine results pages (SERPs) and may help to increase the page rank.

For example, if you search “Gbhackers on Security” and click the result for, the actual link will be something like this:

This redirect from Baidu changes as well. If you search for “Gbhackers on Security” again, you’ll get a new interstitial link with a different encrypted url parameter that still redirects to

Reason for Abusing Interstitial Search Pages on Skype

Why Skype campaign, scammers abuse these interstitial Baidu pages.

  1. To get malicious pages indexed in Baidu search results.
  2. Search Baidu to find their malicious links in the SERP.
  3. From the SERP, copy the links to Baidu’s interstitial pages.

To make the links more trusted for Skype users to click on, these malware adds an random fragment identifier using the skype name of the recipient (e.g. #emubahyt= from the link at the top of this post).

List of Domain name’s used in Campaign

Baidu links redirect to sites hosted on the server with IP address 46 .30 .46 .78:

abatapka[.]ru – created on Nov 7, 2016
 3d-universe[.]ru – created on Nov 3, 2016
 abc-sport[.]ru – created on Nov 7, 2016
 gieldoweb[.]info – created on Nov 12, 2016
 tria42[.]ru – created on Nov 18, 2016
 tehnoenerg[.]ru – created on Nov 1, 2016

New Fake Site’s

Sites on the 46 .30 .46 .78 server randomly redirect to one of the following fake “news sites”:

 brainvipwit[.]com/?a=370960&c=brain&s=gipo&42988 – – created on Nov 11, 2016
 brainvlllwit[.]com/?a=370960&c=brain&s=gipo&49374 – – created on Nov 16, 2016
 intellectvvv[.]com/?a=373727&c=brain&s=lefo&91446 – – created on Nov 15, 2016
 witxxsmind[.]com/?a=373727&c=brain&s=lefo&82834 – – created on Nov 15, 2016
 vipiqfmind[.]com/?a=370960&c=brain&s=gipo&94704 – – created on Nov 28, 2016

What if I received this Malicious links in Skype?

  1. Don’t click on it (or on any link where you can’t be sure where the link will send you) – it can be a rather benign spam, but can easily be a malicious page that will install viruses on your computer or smartphone.
  2. Next step is to notify the person that “sent” you the link that their Skype account was hacked and they should change the Skype password, recommend them to set a strong password.

Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles