Expired Domain Pages Can Redirect To Malicious Websites. How?

According to Kaspersky, the cybercriminals can exploit pages for inactive domains to redirect users to malicious websites.

Many a times, a user end up opening a website just to check if the site is inactive, in such cases, the user is redirected to a landing page which indicates that domain has been expired and is ready to be renewed. Based on some cases, such pages include some links which are related to expired domain, however in some other cases, the page seems hosted by an auction website which is supposed to sell expired domains.

In general cases, the landing pages appear to be begin with links to some other legitimate websites selling expired domains, but according to a recently issued report by Kaspersky, it explains that there can a malware residing on such landing pages too.

While researching over an application for an online game, the experts have discovered that the application actually tried to redirect them to a malicious url, which was listed on an auction site for sale. And clicking the site to open a legitimate auction page, it actually redirected to a blacklisted web address.

Based on further analysis, the security team discovered around 1000 of websites which are up for sale by same auction server and the second stage redirection lead users to more than 2500 unwanted or malicious urls. In the list of such urls, even many of the urls were all set to promote and install Shlayer Trojan on remote computers. This specific malware is actually a Mac OS based infection which attempts to install adware on targeted machines.

Looking through the researches of Kaspersky from March 2019 to February 2020, it has found that around 89 percent of such inactive domain urls causing second stage redirects and landed them to advert-related websites. While the rest of 11 percent led the users to some malicious sorts of pages. In some cases, the security team also discovered that the page itself has included with malicious code and the users are somehow prompted to download such malware code on their machine through an infected MS Office documents and PDF files.

Probably, the intention of such redirects is just to earn profit. Generally, the users receive commission from advertisers for driving users to certain websites, and they never care if the sites are legitimate or malicious ones. According to researches, it’s noticed that one of the malicious urls have received around 600 redirects on an average in ten days, and the pages actually tried to install Shlayer trojan. And, the attackers actually receive a payment from every installation from the promoted site on targeted machine.

Kaspersky suppose that the criminals behind such promotional campaign are well organized and have managed network to divert traffic to malicious websites. They might be able to do this using redirects from a legitimate domain and exploiting the resources of a well reputed auction site.

Although, this kind of attack can hardly be combated, still the users can take some precautionary measures to prevent their machine against such intruders. The very first step they can assure is to download and install any programs from a reliable or trusted source, while the second recommended step is to use a powerful security app which can prevent such redirects to malicious or suspicious urls.