Newspapers and news sites

Stumble Guys free gem spam manipulates event calendar to display in Google News

Last week we saw a particularly odd entry in Google News, and were curious to get to the bottom of it. Nestled in between two listings for video game news sat a listing which seemed rather out of place. It said:

“Stumble guys flying hack unlimited free gems generator”

Google News results

The site link led back to a genuine news source, The Atlanta Journal Constitution. This entry should not be appearing in this way. However, the site had not been hacked. What we have here is a case of scammers taking advantage of an events promotion service offered by the Constitution. Shall we take a look?

Turning a gem generator into an event

Here’s the page in question. The subdomain that this page appears on contains the word “events”, which is our first clue to what’s happened here.

Tumble Guys fake gem generator

The text on the page is a very spammy rundown of what Stumble Guys is, and how you can generate gems “for free”. Stumble Guys is a legitimate game on everything from mobile platforms to Steam. The game and its developers are unrelated to this spammy page and its content.

The page also bizarrely lists October 31 as the “date” for this event, which is apparently located in a gallery at the Ronald Reagan Washington National Airport.

Why is this detail present?

The event that wasn’t

The answer is that you can set up an account on the Events subdomain, which is then posted calendar style alongside other events submitted to the site. For example, here’s a whole bunch of genuine events. Meanwhile, our “odd one out” spam listing leads to a fake gem generator.

The generator is the usual “enter your username and platform” affair, which asks how many “free” gems you want and then deposits you in front of several survey offers. No matter which ones you complete, you’re not going to get any gems but you will have signed up to various unrelated offers and promotions.

Survey selection

Not the greatest value proposition we’ve ever seen. While the majority of offer survey sign-ups across the net don’t send you to malware sites or dubious downloads, it can indeed happen. The “least” invasive thing you’re likely to experience is handing over personal data for competitions or signing up to various paid services. It’s simply not worth bothering with, especially when the starting point is a fake ad for a bogus service.

A speedy take down

We reported the fake event listing to The Atlanta Journal Constitution, and the page was removed incredibly quickly which is fantastic. We also block the third party URL containing the fake gem offer site (note that this domain is not associated with AJC). This is a fairly sneaky way to get spam loaded into Google News offerings, and not one we should tolerate.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.