A number of inactive websites have been compromised and are redirecting visitors to unwanted URLs, many of which are malicious. This is according to a new study by Kaspersky, which uncovered over 1000 inactive domains that send users to second-hand pages as a way for fraudsters to make money or even infect their device.
Inactive domains are sometimes purchased by a service before being put up for sale on an auction site. Visitors to the inactive website should then be redirected to the auction stub; however, fraudsters are often substituting these stubs for malicious links.
Kaspersky researchers discovered that there were about 1000 websites for sale on one of the world’s biggest auction platforms, and these redirected visitors to over 2500 unwanted URLs. Many of these download the Shlayer Trojan, which installs adware on infected devices and is distributed by webpages with malicious content.
Of these websites, 89% were redirects to ad-related pages while 11% were to malicious sites, which either contained a malicious code or prompted users to install malware or download infected MS Office or PDF documents.
It is believed fraudsters are being paid to drive traffic to both the legitimate advertising pages and malicious sites, which is the motivation for the scheme.
Dmitry Kondratyev, junior malware analyst at Kaspersky, commented: “The domains that have these redirects were — at one point — legitimate resources, perhaps those the users frequently visited in the past. There is no way of knowing whether or not they are now transferring visitors to pages that download malware. Adding to the challenge is that whether or not you land on a malicious site varies: if one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you might be sent to a page that downloads Shlayer.
“In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device.”