How expired domain names can redirect you to malicious websites

Pages for inactive domain names can be exploited by cybercriminals to take you to malicious sites, says Kaspersky.

concept-of-malware-notification-or-error-red-alert-warning-of-spam-vector-id1142226935.jpg

Image: danijelala, Getty Images/iStockPhoto

Most of us at some point have likely tried to open a website only to discover that the site no longer exists, replaced by a landing page indicating that the domain has expired or is up for rewewal. In some cases, the resulting page simply contains links related to the expired site. In other cases, the page is hosted by an auction site looking to sell the expired domain name.

SEE: Malware Incident Response Plan (TechRepublic Premium) 

Normally, these types of landing pages or auction pages appear to be benign with links to other sites that are assumed to be legitimate. But a report released Wednesday by security provider Kaspersky explains that there may be malware lurking behind some of these seemingly benign pages.

Investigating an application for an online game, researchers at Kaspersky found that the app attempted to redirect them to an unwanted and unexpected URL, which was listed for sale on an auction site. However, instead of taking people to the correct stub site, the second-stage redirection led them to a blacklisted page.

Upon further analysis, Kaspersky discovered around 1,000 websites up for sale from the same auction service. The second stage of redirection for these sites took users to more than 2,500 unwanted URLs. And many of these URLs were set up to download the Shlayer Trojan, a nasty piece of malware that tries to install adware on Mac computers.

stub-page-expired-domain-kaspersky.jpg

Stub page for the domain up for sale.

Image: Kaspersky

Looking at the activity from March 2019 through February 2020, Kaspersky determined that 89% of these second-stage redirects went to ad-related pages, while 11% went to malicious pages. In some cases, the pages themselves contained malicious code. In other cases, users were prompted to install malware or download infected Microsoft Office documents and PDF files.

As usual, profit is the ultimate goal. People receive money for driving users to certain pages, either ones that are legitimate ad pages or those that are malicious (a practice known as malvertising). One of the malicious pages received 600 redirects on average over just ten days. With the pages that tried to install the Shlayer Trojan, the attackers receive a payment for each installation of the malware on an affected device.

Kaspersky's assumption is that the criminals behind this campaign are part of a well-organized and presumably managed network that can divert traffic to malicious websites. They were able to do this by using redirects from legitimate domain names and exploiting the resources of a known domain auction site.

"Unfortunately, there is little users can do to avoid being redirected to a malicious page," Dmitry Kondratyev, junior malware analyst at Kaspersky, said in a press release. "The domains that have these redirects were—at one point—legitimate resources, perhaps those the users frequently visited in the past. And there is no way of knowing whether or not they are now transferring visitors to pages that download malware. In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device."

Though this particular attack may be hard to combat, you can still take steps to try to prevent trojans in general from infecting your devices. As such, Kaspersky offers the following tips: 1) Install programs and updates only from trusted sources; 2) Use a reliable security solution with anti-phishing features that prevent redirects to suspicious pages.

Also see