Thousands of inactive domains have been identified by a cyber security firm that are being used to redirect users to unwanted URLs in a bid to make money. According to researchers at Kaspersky, many of these second-stage pages were detected as malicious. The compromised domains are all for sale on one of the world’s largest and oldest domain auction sites.  

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

It explains that these domains are put for sale on auction sites when companies stop paying for them. Those who attempt to visit the inactive website are then redirected to the auction stub where they see that the domain is currently for sale—or at least they should be. 

“However, by substituting the stub with something else—i.e. a malicious link—fraudsters can create a cunning scheme for infecting users or generating profits at the users’ expense,” the researchers said. 

The fraud came to light when researchers were investigating an assistant tool for a popular online game. They detected an attempt by the application to transfer them to an unwanted URL. It turned out that this URL was listed for sale on one of the world’s oldest and largest auction sites. However, rather than redirecting to the correct page that shows the domain for sale, this second-stage redirect was transferring users to another denylist page. 

WATCH | Tech Talks EP 22

Further analysis uncovered around 1,000 websites put up for sale on the very same auction platform. At the second state of redirect, these 1,000 pages transferred users to over 2,500 unwanted URLs. Many of these download the Shlayer Trojan—a widespread macOS threat that installs adware on the infected devices and is distributed by webpages with malicious content.

According to experts, the reasoning behind this cunning multi-layered scheme could be of a financial nature: fraudsters receive revenue for driving traffic to pages—both to those that are legitimate advertising pages and those that are malicious. This is what’s known as malvertising. 

One of the malicious pages uncovered, for example, received 600 redirects on average in just ten days—most likely, the criminals received a payment based on the number of visits. In the case of Shlayer, those that distribute the malware received a payment for each installation on a device.

It’s likely the scam is the result of flaws in the ad filtering for the module that displays the content of the third-party ad network.

How to stay safe?

Dmitry Kondratyev, Junior Malware Analyst, said that unfortunately, there is little users can do to avoid being redirected to a malicious page. He explained that the domains that have these redirects were—at one point—legitimate resources, perhaps those the users frequently visited in the past. A

“And there is no way of knowing whether or not they are now transferring visitors to pages that download malware. Adding to the challenge is that whether or not you land on a malicious site varies: if one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you might be sent to a page that downloads Shlayer. In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device,” he said. 

To reduce the risk of infection with Trojans from malicious sites, Kaspersky experts recommend:

·Installing programs and updates only from trusted sources

·Using a reliable security solution with Anti-Phishing features that prevent redirects to suspicious pages