الرئيسية / ENGLISH / Over one thousand URLs for sale redirect users to blacklisted pages—including malicious ones

Over one thousand URLs for sale redirect users to blacklisted pages—including malicious ones

Kaspersky researchers have uncovered more than a thousand inactive domains that, when
visited, redirect the visitors to unwanted URLs as a way to turn a profit. Many of these
second-stage pages were detected as malicious.
When companies stop paying for their domain, sometimes they are purchased by a service
and posted for sale on an auction site. Those who attempt to visit the inactive website are
then redirected to the auction stub where they see that the domain is currently for sale—or
at least they should be. However, by substituting the stub with something else—i.e. a
malicious link—fraudsters can create a cunning scheme for infecting users or generating
profits at the users’ expense.
While investigating an assistant tool for a popular online game, Kaspersky researchers
detected an attempt by the application to transfer them to an unwanted URL. It turned out that this URL was listed for sale on an auction site. However, rather than redirecting to the
correct stub site, this second-stage redirect was transferring users to another blacklisted page.
Further analysis uncovered around 1,000 websites put up for sale on various auction
platforms. At the second stage of redirect, these 1,000 pages transferred users to over 2,500 unwanted URLs. Many of these download the Shlayer Trojan—a widespread macOS
threat that installs adware on the infected devices and is distributed by webpages with malicious content.
Between March 2019 and February 2020, 89 percent of these second-stage redirects were
to ad-related pages, while 11 percent were malicious: users were either prompted to install
malware or download infected MS Office or PDF documents, or the pages themselves
contained malicious code.
According to experts, the reasoning behind this cunning multi-layered scheme could be of a
financial nature: fraudsters receive revenue for driving traffic to pages—both to those that are legitimate advertising pages and those that are malicious. This is what’s known as
malvertising. One of the malicious pages uncovered, for example, received 600 redirects on
average in just ten days—most likely the criminals receive a payment based on the number
of visits. In the case of Shlayer, those that distribute the malware received a payment for
each installation on a device.
It’s likely the scam is the result of flaws in the ad filtering for the module that displays the
content of the third-party ad network.
“Unfortunately, there is little users can do to avoid being redirected to a malicious page.
The domains that have these redirects were—at one point—legitimate resources, perhaps
those the users frequently visited in the past. And there is no way of knowing whether or
not they are now transferring visitors to pages that download malware. Adding to the
challenge is that whether or not you land on a malicious site varies: if one day, you access
the site from Russia, nothing will happen. However, if you then try to access it with a VPN,
you might be sent to a page that downloads Shlayer. In general, malvertising schemes like
these are complex, making them difficult to fully uncover, so yourbest defense is to have a
comprehensive security solution on your device,” comments Dmitry Kondratyev, Junior
Malware Analyst.
 
Learn more about these malicious links onSecurelist.
To reduce the risk of infection with Trojans from malicious sites, Kaspersky experts
recommend:
• Installing programs and updates only from trusted sources
• Using a reliable security solution like Kaspersky Total Security with Anti-Phishing features that prevent redirects to suspicious pages
cairo ict

شاهد أيضاً

Over 140 ransomware families down – No More Ransom celebrates its fourth anniversary

the No More Ransom initiative was launched by the Dutch National Police, Europol, McAfee and …

اترك تعليقاً

لن يتم نشر عنوان بريدك الإلكتروني. الحقول الإلزامية مشار إليها بـ *