Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye.
The malicious domain was abusing the URL shortener service is.gd: shortened URLs were being injected into the posts table of the client’s WordPress database.
Whenever the infected WordPress page loads, the actual content is obscured behind the is.gd shortener, which obtains content from the fake Google domain: fonts[.]googlesapi[.]com
Fake Google Domain Leveraged in Obfuscation Attempts
In terms of the registration date (2018-11-27), this domain is not that new.