We’ve all at one time attempted to open a website only to discover that the site is no longer active and has been replaced by a landing page indicating that the domain has expired or is up for renewal. In many cases, the page may contain links related to the expired site. In other cases, the page is now hosted by an auction site that is looking to sell the expired domain name. Usually, these types of pages or auction sites appear to be benign with links that are assumed to be legitimate. But a report from Kaspersky Labs explains that these pages may be riddled with malware or viruses lurking in the shadows.
While investigating a gaming app, Kaspersky researchers found that the app attempted to redirect them to an unwanted URL, which was listed for sale on an auction site. However, instead of directing people to the correct site, the second-stage redirection led them to a blacklisted website.
After further analysis, Kaspersky researchers discovered up to 1,000 websites for sale from the same auction site. The second stage of redirection for these sites took users to more than 2,500 unwanted URLs. Most of these URLs were set up to download the Shlayer Trojan, a malware that attempts to install adware on Mac computers.
Between March 2019 and February 2020, Kaspersky observed that 89% of these second-stage redirects went to ad-related web pages, while 11% went to malicious web pages. In some of the cases, the pages themselves contained malicious code. In others, users were prompted to install malware or download infected word documents or PDF files. On the pages that install the Shlayer Trojan, the attackers are believed to obtain a payment for each installation of the malware on an affected device.
It is assumed that the criminals behind this campaign are part of a well-organized network that can divert traffic to malicious websites. They can do this by using redirects from legitimate domain names and exploiting the resources of known domain auction sites.
According to Dmitry Kindratyev of Kaspersky Labs, “Unfortunately, there is little users can do to avoid being redirected to a malicious page. The domains that have these redirects were — at one point — legitimate resources, perhaps those the users frequently visited in the past. And there is no way of knowing whether or not they are now transferring visitors to pages that download malware. In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device.”
Although this particular attack is hard to combat, you can still take several steps to prevent malware from infecting your devices. An important step to help protect your devices is running antivirus and antimalware software. These programs can block malware from being installed and remove it if it does get onto your devices.
Some tips you can follow are:
Only install programs and updates only from sources you trust. Use a dependable security solution with anti-spear phishing features that prevent redirects to suspicious pages. And always trust your hunch and don’t click on suspicious links.