Join Us for Zenith Live 2019 Learn More
Join Us for Zenith Live 2019 Learn More

Scammers Use Cheap and Squatted Domains to Create Fake Sites

Scams redirect to fake adult sites, tech support, airlines, medicine, and more

By: Rubin Azad

Scammers Use Cheap and Squatted Domains to Create Fake Sites

Last summer, a ThreatLabZ blog covered scam campaigns in which bad actors using .tk domains were showing warnings of a fake malware infection and trying to generate revenue by offering remediations. 

We recently noticed the development of similar campaigns in which bad actors are making use of cheap domains, registering them in bulk, and scamming people in an attempt to generate revenue. In this blog, we will cover a few of such campaigns.

 

Infrastructure Sharing

In our research last year, we noticed that domains with patterns such as some-domain[.]tk/index/?{random-long-int} were primarily showing support scams, such as alerting users that their systems had been infected with malware or claiming an infected site was from Microsoft and asking the user to use the hotline number provided. Once contacted, the scammer would take money from the end-user and perform random actions, show the filesystem tree, and claim the system was fixed.

This year, we are seeing slightly different behavior in which the same URI patterns are being leveraged for other scam redirections.

Fig-1 Scan redirection chain

Fig. 1: Infection chain 

The main site is injected with a malicious script responsible for malicious redirection chaining.

Fig. 2: Injected scripts

These injected scripts/URLs load different types of content in different iterations.

Fig. 3: Redirection chain

At the moment, these .tk domains are redirecting to various fake sites, including foreign exchange (forex), credit card, and healthcare, but the attacker can easily add more fake sites from other categories.

Fig. 4: Final .tk redirection to fake site

There are more than 700 .tk domains hosted on 185.251.39[.]220 and more than 80 .tk domains on 185.251.39[.]181, which are associated with this campaign. 


    Domain squatting leads to tech support scam

    We came across interesting instances in which a Google Mail squatted domain gmil[.]com was responsible for a Microsoft Tech Support scam redirection.

    Fig. 5: Google Mail squatted domain leading to Microsoft Tech Support scam

    The scam page that we received is similar to what we saw in our previous analysis, and there has been little to no development.

    Fig. 6: Support scam page

    The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity.

     

    PopCash leading to fake sites, including medicine, tax debt relief, repair services, and adult sites

    Fig. 7: PopCash redirecting to fake sites that use the same page template

    In another redirection iteration, we saw adult-themed sites and a fake medicine site claiming to be CNN.

    Fig. 8: Adult themed site and fake CNN page selling Viagra

     

    Fake airlines

    We also spotted fake airline sites using an identical template, contact number, and Google gtag.

    Fig. 9: Similar fake airline sites

    The use of the nearly identical template means there is a scam kit being used to automatically generate their page content.

    Fig. 10: Template comparisons

    The IP address 103.25.128[.]224 is hosting 70 or more of these fake airline sites.

    Conclusion

    Scam campaigns leveraging cheap domains such as .tk, .ga, .gq, .ml, .cf, and others have been on the rise for past few years now. Because registering such domains is very inexpensive, bad actors are doing bulk registrations for such domains and using them to generate revenue.

    While some of these sites are poorly designed and obvious scams, others are sophisticated and look very much like the real brand. Always look at a site’s URL to make sure the site is legitimate before initiating communications or making any kind of transaction.

    Zscaler ThreatLabZ is actively monitoring scamming sites and other threats to ensure coverage and will continue to share information on these campaigns.

    IOCs

    All scam domains involved in the above campaigns can be seen here.




    Suggested Blogs