Cybersecurity firm Kaspersky has warned against inactive domains redirecting to malicious links that are up for sale on a “popular” online domain auction site.
Researchers have found at least 1,000 “unwanted URLs” that redirect a user to malicious links, many of which lead to the user’s device getting infected with a harmful virus.
“Kaspersky researchers have uncovered more than a thousand inactive domains that, when visited, redirect the visitors to unwanted URLs as a way to turn a profit. Many of these second-stage pages were detected as malicious. The compromised domains are all for sale on one of the world’s largest and oldest domain auction sites,” the firm said.
These domains are second-stage pages that are no longer in use.
“When companies stop paying for their domain, sometimes these are purchased by a service and posted for sale on an auction site,” Kaspersky explained.
In ordinary circumstances, a user purchasing these domains should be directed to the auction stub. However, hackers can redirect these links to malicious links that can infect a user’s device or generate profits at the “user’s expense.”
Kaspersky investigated an assistant tool for a popular online game. The firm did not name the game.
The tool had attempted to transfer them to an unwanted URL.
“It turned out that this URL was listed for sale on one of the world’s oldest and largest auction sites. However, rather than redirecting to the correct page that shows the domain for sale, this second-stage redirect was transferring users to another denylist page,” the report read.
It uncovered 1,000 such websites up for sale on the platform after further analysis.
These 1,000 websites redirected users to over 2,500 malicious URLs many of which downloaded the Shlayer Trojan on a user’s device. The Shayler Trojan is a popular macOS threat that installs unwarranted adware on users’ devices. It is distributed through such malicious websites.
“Between March 2019 and February 2020, 89 per cent of these second-stage redirects were to ad-related pages, while 11 per cent were malicious: users were either prompted to install malware or download infected MS Office or PDF documents, or the pages themselves contained malicious code,” as per the report.
According to experts, fraud could be financial in nature. Hackers could earn revenue by redirecting such pages to ad-related pages, whether they be legitimate or malicious. It is known as malvertising.
“It’s likely the scam is the result of flaws in the ad filtering for the module that displays the content of the third-party ad network,” Kaspersky said.
However, there is not much that a user can do to prevent such redirects. They can have a trustworthy cyber-security solution in place to protect their device.
“Unfortunately, there is little users can do to avoid being redirected to a malicious page. The domains that have these redirects were — at one point — legitimate resources, perhaps those the users frequently visited in the past. And there is no way of knowing whether or not they are now transferring visitors to pages that download malware,” said Dmitry Kondratyev, Junior Malware Analyst.
“Adding to the challenge is that whether or not you land on a malicious site varies: if one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you might be sent to a page that downloads Shlayer. In general, malvertising schemes like these are complex, making them difficult to fully uncover. So your best defense is to have a comprehensive security solution on your device,” he further said.