Googleusercontent

googleusercontent

googleusercontent.com

There is a security risk involved. The problem is that legitimate organizations as well as scammers rent use of this particular Google Cloud system, googleusercontent.com, it is difficult to discern what active connections to hosts on the domain are not malicious. The Google Cloud system in question has historically been used by data thieves, hackers, and corporate logistics operations just to name a few. An active connection on your idle system could indicate an intruder, or simply be part of Firefox, or the operating system updater. COMPANIES SHOULD NOT USE SERVICES FROM GOOGLE CLOUD as the same system is being used for malicious activity. Google is making insufficient effort to keep the criminals from using the system also.

Two examples of legitimate organizations also using googleusercontent.com for various purposes:

• Canonical aka Ubuntu Linux
• Mozilla Firefox

Hackers have found a way to share malware via trusted and reliable Google servers like those of googleusercontent. googleusercontent is Google’s domain for serving user-supplied content without affecting the safety of Google’s own pages.

"bc.googleusercontent.com" is Google computing cloud.

The bc host originates from Google Compute Engine (Google cloud) that does not have to be from Google itself. It is a service anyone can use. Various commercial entities, organizations, and private individuals pay to use this service from Google.

Google claims that Google activity by Google is excluded from googleusercontent.com which is isolated for 3rd party use. However, there is plenty of evidence that Google itself conducts activity on googleusercontent.com. Recently, Google has started storing images in a new domain, called googleusercontent.com. This domain is used for a variety of purposes, including cached copies of websites visited by the Google search engine, but the general purpose of this domain appears to be to store static content: i.e. content that is not expected to change.

Some other services that are from Google:

• lh3.googleusercontent.com Used for loading images for Google+.
• lh5.googleusercontent.com Used for loading images for Google+.
• lh6.googleusercontent.com Used for loading images for Google+.
• s3.googleusercontent.com Used for loading favicons for AdWords ads.
• static.googleusercontent.com
• themes.googleusercontent.com Used for loading font files for Google Fonts. (Generally called within CSS from fonts.googleapis.com)
• translate.googleusercontent.com Google Translation Service

Some references:

• Blocking access to all sites "bc.googleusercontent.com"
• Is NetworkManager sending HTTP requests to googleusercontent.com?
• Constant googeusercontent hits
• Malicious BOT on googleusercontent.com
• Google User Content CDN Used for Malware Hosting

There are different servers hosting Google user content, it's looks like they are on lh[1-6].googleusercontent.com, and with different prefixes.

For example, a picture in a Google Maps review will gives this URL : https://lh5.googleusercontent.com/p/AF1QipO_dHIeVRPSIqwxu3VQY7n0rh_R_6oH92NKSJzE And their prefixes will be "AF1Qip",

And Google profile pictures will starts with "AOh14G" :

• https://lh3.googleusercontent.com/a-/AOh14GiUjlWnt4MNgr7Wmeyb3PzXlka4E8PFEIlF27oIxIA
• https://lh3.googleusercontent.com/a-/AOh14GjfjYX7SdSzS12uUNr7biejHeSNKkS1cEHRwHNiSAk

We can also note that Google Photos / Albums URLs are also starting with "AF1Qip" :

• https://get.google.com/albumarchive/116817211900620900327/album/AF1QipMsEEwFLNjciBTQaRxIbn1AEyTYURdLnTU36CqT/AF1QipOX0W4N7QYJDyq449-5EVDkuQ6Nk6Dvkz1HxldI
• https://photos.google.com/photo/AF1QipOX0W4N7QYJDyq449-5EVDkuQ6Nk6Dvkz1HxldI

Mozilla Firefox using googleusercontent.com

Mozilla uses the Google Cloud Platform for Firefox components. It is rented server capacity. Extensions can use googleusercontent.com to host some of their data files.

Ubuntu Canonical using googleusercontent.com

Ubuntu using googleusercontent.com

• connectivity-check.ubuntu.com

Ubuntu's Connectivity checking is a NetworkManager functionality that allows periodic checks to see if the system can access the internet. This is in poor taste by the developers of NetworkManager as it creates what might appear as suspicious looking connections to a domain that is known to host malware and other types of misuse.

Recommended Solution for Ubuntu / Mint Linux Users: disable Network Manager connectivity checks

• You can disable connectivity checking inside the menu: Preferences -> System settings -> Privacy -> Connectivity.

In the System Settings dialog under "Internet connectivity" is an ON/OFF toggle with the description: "Check that network connections can reach the Internet. This makes it possible to detect captive portals, but also generates periodic network traffic."

You DO NOT NEED nor benefit from connectivity checks if you are on your home computer connected to your own LAN or on an office computer connected to an office LAN, especially if connected via an Ethernet cable as opposed to wireless. It is best to disable it unless you are using a laptop and plan on visiting an Internet Cafe (or public wifi)!

• You can keep it enabled and have it use a different host/domain as an alternative to googleusercontent.com

sudo vi /usr/lib/NetworkManager/conf.d/20-connectivity-ubuntu.conf

Look for:

[connectivity]
uri=http://connectivity-check.ubuntu.com./

The system settings are stored using /var/lib/NetworkManager/NetworkManager-intern.conf and read after /etc/NetworkManager/conf.d/20-connectivity-ubuntu.conf

sudo cat  /var/lib/NetworkManager/NetworkManager-intern.conf

Ref: External Source

Lets see if connectivity-check.ubuntu.com is really at bc.googleusercontent.com

Simple testing to do at console:

$ host connectivity-check.ubuntu.com
connectivity-check.ubuntu.com has address 34.122.121.32
connectivity-check.ubuntu.com has address 185.125.190.49
connectivity-check.ubuntu.com has address 185.125.190.17
connectivity-check.ubuntu.com has address 35.232.111.17
connectivity-check.ubuntu.com has address 185.125.190.48
connectivity-check.ubuntu.com has address 35.224.170.84
connectivity-check.ubuntu.com has address 91.189.91.49
connectivity-check.ubuntu.com has address 91.189.91.48
connectivity-check.ubuntu.com has address 185.125.190.18
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::23
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::2b
connectivity-check.ubuntu.com has IPv6 address 2001:67c:1562::24
connectivity-check.ubuntu.com has IPv6 address 2001:67c:1562::23
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::22
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::2a

Ok lets reverse the first IP returned...

$ host 34.122.121.32
32.121.122.34.in-addr.arpa domain name pointer 32.121.122.34.bc.googleusercontent.com.

And so on. Ubuntu paying google for use of shady googleusercontent.com.