Computer criminals have been found to abuse expired domain names by registering them once again and pointing the visitors to malware. This was a commonly used tactic for marketers and SEO specialists who used just names to point to landing pages of their clients. This new change of scenario shows how important it is to never trust a site domain name to be safe by default.
Expired Domain Names Registered and Abused To Deliver Malware
Computer hackers are exploiting the common marketing strategy of registering expired domain names. This is a common tactic which is devised to provide backlinks to a given site. Digital marketers lookup newly expired domain names that may have a similar name, significance or a lot of links that point to notable sites. If they find that they are fitting in the niche of their client’s site they can register it and post content, edit archived posts or even institute (potentially malware) redirects to other sites.
There is also another possibility that hackers can abuse – by faking the faking the expired domain name message. This will come up when a given site has expired and the visitors are notified that it is now sold by a domain registrant or a hosting company. As these pages usually contain some sort of forms or contact information this can be used in phishing campaigns. The exact kind of phishing strategy can depend on the chosen site or the hacking group.
In one of the confirmed cases security researchers have found that the source of such hacking tactics was coming from an online game. The investigation shows that when the users to this game are accessing a site there was a link in it which redirects to one such expired domain. This redirect link was found to lead the visitors to a blacklisted web-page instead of a regular domain auction site.
Following up to the domain links an audit discovered that there have been more than 2,500 pages in total which link to various sites. There are two primary consequences:
- Malware Distribution — In many cases the hackers can embed virus-infected files or direct malware payloads. In this particular case the most popular example is the Shlayer Trojan. It will install adware and run other dangerous actions on the host system.
- Malware Redirects — The criminals can redirect the visitors to fake login forms, phishing sites and intrusive ads content.
One of the reason why this method is becoming more and more efficient and popular among hackers is the fact that the use of such domains is very easy. Registration of expired domains and analytical data about their value can be easily done via free public tools.