Most users, if not all of them, will certainly try to open a site and in the process discover that this site no longer exists, but has been replaced by a landing page indicating that the domain has expired or is about to be renewed. . In some cases, the resulting page simply contains left-wing related to the expired site. In other cases, the page is hosted by an auction site that aims to sell the expired domain name. These landing pages or auction sites seem to contain links that direct users to legitimate sites. In reality, though, things are different, as expired domains carry many risks - one of which is redirecting users to malicious sites.
In particular, a report released this week by Kaspersky points out that some of these seemingly "innocent" pages are very likely to hide malware. Looking at one application for one online game, Kaspersky's researchers found that the application tried to redirect them to an unwanted address URL, which was put up for sale on an auction site. Instead of being transferred to the right website stub, their second stage redirect resulted in a blacklist page.
Kaspersky then discovered about 1.000 sites for sale from the same auction service. The second redirection stage for these sites has led users to more than 2.500 unwanted URLs. In addition, many of these URLs were created to download Shlayer Trojan, a malware that tries to install adware on computers. Poppy.
Tracking activity from March 2019 to February 2020, Kaspersky's researchers found that 89% of these second-stage redirects took users to ad-related pages, while 11% took them to malicious sites. In some cases, the pages were malicious code. There have also been cases where users have been asked to install malware or download infected documents. Microsoft Office and files PDF.
The ultimate goal in such cases is profit. People get paid to drive users to specific pages, whether they are legitimate ad sites or malicious ones. One of the malicious pages received an average of 600 redirects in ten days. With the pages trying to install the Shlayer Trojan, the intruders received money with each installation of the malware on a target device.
Kaspersky researchers estimate that cybercriminals behind this malware campaign are part of a well-organized and possibly managed network that can divert traffic to malicious sites. They could do this by redirecting legally domain names and exploiting the resources of a well-known domain auction site.
Dmitry Kondratyev, a junior malware analyst at Kaspersky, explained that users can do little to avoid being redirected to a malicious page. He also said that there is no way to know if visitors are being taken to pages that download malware, while it is difficult to manage expired domains. He also stressed that malicious advertising programs are complex, which makes them difficult to detect and deal with. Therefore, the best defense of users against expired domains and the consequent consequences, is to have a complete security solution on their device, according to Kondratyev. Although this type of attack can be difficult to mitigate and combat, users can take steps to prevent Trojans from infecting their devices.
Kaspersky suggests that users follow two key steps:
- Only install programs and updates from trusted sources.
- Use a reliable security solution with features against it Phishing that prevent redirects to suspicious pages.