Researchers have uncovered more than a thousand inactive domains that, when visited, redirect the visitors to unwanted URLs as a way to turn a profit. Many of these second-stage pages were malicious. The compromised domains are all for sale on one of the world’s largest and oldest domain auction sites.
When companies stop paying for their domain, sometimes they are purchased by a service and posted for sale on an auction site. Those who attempt to visit the inactive website are then redirected to the auction stub where they see that the domain is currently for sale—or at least they should be. However, by substituting the stub with a malicious link, fraudsters can create a cunning scheme for infecting users or generating profits at the users’ expense.
While investigating an assistant tool for a popular online game, Kaspersky researchers detected an attempt by the application to transfer them to an unwanted URL. It turned out that this URL was listed for sale on one of the world’s oldest and largest auction sites. However, rather than redirecting to the correct page that shows the domain for sale, this second-stage redirect was transferring users to another denylist page.
Further analysis uncovered around 1,000 websites put up for sale on the very same auction platform. At the second state of redirect, these 1,000 pages transferred users to over 2,500 unwanted URLs. Many of these download the Shlayer Trojan, a widespread threat aimed at Apple Macs.
Between March 2019 and February 2020, 89 percent of these second-stage redirects were to ad-related pages, while 11 percent were malicious: users were either prompted to install malware or download infected MS Office or PDF documents, or the pages themselves contained malicious code.
The reasoning behind this cunning multi-layered scheme could be financial: fraudsters receive revenue for driving traffic to pages—both to those that are legitimate advertising pages and those that are malicious. This is what’s known as malvertising. One of the malicious pages uncovered, for example, received 600 redirects on average in just ten days. It's probable that the criminals receive a payment based on the number of visits. In the case of Shlayer, those that distribute the malware received a payment for each installation on a device.
The scam is probably the result of flaws in the ad filtering for the module that displays the content of the third-party ad network. According to Dmitry Kondratyev at Kaspersky: “There is little users can do to avoid being redirected to a malicious page. The domains that have these redirects were—at one point—legitimate resources, perhaps those the users frequently visited in the past. And there is no way of knowing whether or not they are now transferring visitors to pages that download malware." You can learn more about these malicious links on Securelist.
Basic cyber hygiene reduces the risk of infection with malware from malicious sites. This includes using a reliable security solution with Anti-Phishing features that prevent redirects to suspicious pages and only installing programs and updates from trusted sources.
Kaspersky is a provider of cybersecurity and anti-virus software