By: Julien Sobrier

Thousands/Millions Of .tk Sites Created For Fake Online Stores

Phishing

While I was monitoring hijacked sites leading to fake online stores, I noticed a significant increase in .tk sites redirecting to searchdiscovered.com via domain.dot.tk. There are a number of interesting things going on with these .tk sites. First, the spammers have decided to create their own sites rather than hijacking existing sites with good reputation rankings. Doing a Google search, I found thousands of these sites: fidymarch.tk, isaftaho.tk, isaftaho.tk, jedkyosculit.tk, flicreuci.tk, meicatec.tk, etc. There may be up to 6 million sites like this.  Most of the domains are registered by two entities: DOT TK and Malo Ni Advertising Limited (Isle of Man).
 
WHOIS information for isaftaho.tk

http://dot.tk/ offers free .tk domains and redirections, like co.cc, so it is is not surprising to see this service being abused.
 
Free .tk domain names

These .tk sites contain only spam, unlike hijacked sites, which contain both legitimate content and spam. They look all pretty much the same. The previous spam pages I saw were using only text, with no images. These sites look more like online stores, with images, and links to the actual fake stores
 
Spam page from cetescawin.tk

The fake online stores linked from these spam sites are the same as the fake stores that I saw earlier: same template, same translations into 5 languages, same discounts, etc: cheapoem.com.ua, discountsoftware.com.ua, etc.
 
Fake store discountsoftware.com.ua
Down .... but still there

About half of the .tk domains I've tried seem to be down. They redirect to domain.dot.tk, then to searchdiscovered.com which seems to be a parking domain.
 
Domain parked on searchdiscovered.com
It is very likely that the .tk domains were suspended by the registrar Dot.tk, and now redirect to to a parking domain where the registrar can make some money for it's free service with the advertising.

These domains are not harming users anymore, since they redirect to a harmless advertising page instead of a fake store. But it is disappointing that they are still in Google's index, and show up for queries related to buying software online. For example, Google displays more than 600 spam pages for the domain cetescawin.tk.

The second take away is that these dead domains illustrate why it is more effective for the spammers to hijack existing sites rather than create their own. With their own spam sites, it is very easy for both the registrar and Google to take down the entire domain, but is is not likely that Google, or any other search engine, or for example that the registrar Educause is going take down harvard.edu because some sub-domains of their sites contain spam.

Protect yourself

Users can be warned when they visit a fake online store by installing the free Zscaler Safe Shopping add-on for Firefox, Safari, Chrome, Opera and Firefox Mobile.

-- Julien

Learn more about Zscaler.