Kaspersky says that cybercriminals can exploit pages for inactive domains to redirect you to malicious websites.
Many of us have tried to open websites at one time or another only to find that the domain is no longer available. Sometimes, the landing page contains links to the expired website. Sometimes, an auction site hosts the page in order to sell the domain name.
These types of auction or landing pages are usually benign and have links to legitimate sites. A report by security provider Kaspersky on Wednesday reveals that malware could be lurking behind these benign pages.
Kaspersky researchers found that an app was trying to redirect users to an unintentional URL. The URL was being sold on an auction site. Instead of redirecting them to the correct site, the second stage redirection took them to a blacklisted webpage.
Kaspersky found around 1000 websites for sale on the same auction site after further analysis. Users were then directed to over 2,500 unwelcome URLs in the second stage of site redirection. Many of these URLs were used to download the Shlayer Troy, which is a malicious piece of malware that attempts to install adware onto Mac computers.
Kaspersky examined the activity between March 2019 and February 2020. It found that 89% of second-stage redirects went towards ad-related pages while 11% went toward malicious pages. Sometimes, malicious code was embedded on the pages. Other times, the pages contained malicious code and users were asked to download malware or infect Microsoft Office documents.
Profit is the ultimate goal, as usual. For driving people to certain pages, whether they are legitimate ad pages (a practice called malvertising), users get money. In a matter of ten days, one malicious page received 600 redirects. The attackers are paid for every installation of the Shlayer Trojan on a device that was accessed by the malicious pages.
Kaspersky believes that criminals behind this campaign are part a well-organized, presumably managed network that can divert traffic from malicious websites. They did this by redirecting from legitimate domain names, and using the resources of a well-known domain auction site.
Dmitry Kondratyev (junior malware analyst at Kaspersky), stated in a press release that “Unfortunately there is nothing users can do to prevent being redirected to malicious pages.” These redirects were at one time legitimate resources. Perhaps they were sites that users frequented in the past. It is impossible to know if they are transferring users to malware-laden pages. Malvertising schemes such as these can be complex and difficult to uncover. Your best defense is to have a comprehensive protection solution for your device.
Although this attack is difficult to stop, there are steps you can take to help prevent trojans from infecting your computer. Kaspersky suggests the following tips. 1. Only install updates and programs from trusted sources. 2. Use reliable security solutions with anti-phishing features to prevent redirections to suspicious pages.