Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Scammers Use Cheap and Squatted Domains to Create Fake Sites

image
RUBIN AZAD
March 06, 2019 - 3 min read

Last summer, a ThreatLabZ blog covered scam campaigns in which bad actors using .tk domains were showing warnings of a fake malware infection and trying to generate revenue by offering remediations. 

We recently noticed the development of similar campaigns in which bad actors are making use of cheap domains, registering them in bulk, and scamming people in an attempt to generate revenue. In this blog, we will cover a few of such campaigns.

 

Infrastructure Sharing

In our research last year, we noticed that domains with patterns such as some-domain[.]tk/index/?{random-long-int} were primarily showing support scams, such as alerting users that their systems had been infected with malware or claiming an infected site was from Microsoft and asking the user to use the hotline number provided. Once contacted, the scammer would take money from the end-user and perform random actions, show the filesystem tree, and claim the system was fixed.

This year, we are seeing slightly different behavior in which the same URI patterns are being leveraged for other scam redirections.

Fig-1 Scan redirection chain

Fig. 1: Infection chain 

The main site is injected with a malicious script responsible for malicious redirection chaining.

Image

Fig. 2: Injected scripts

These injected scripts/URLs load different types of content in different iterations.

Image

Fig. 3: Redirection chain

At the moment, these .tk domains are redirecting to various fake sites, including foreign exchange (forex), credit card, and healthcare, but the attacker can easily add more fake sites from other categories.

Image

Fig. 4: Final .tk redirection to fake site

There are more than 700 .tk domains hosted on 185.251.39[.]220 and more than 80 .tk domains on 185.251.39[.]181, which are associated with this campaign. 


Domain squatting leads to tech support scam

We came across interesting instances in which a Google Mail squatted domain gmil[.]com was responsible for a Microsoft Tech Support scam redirection.

Image

Fig. 5: Google Mail squatted domain leading to Microsoft Tech Support scam

The scam page that we received is similar to what we saw in our previous analysis, and there has been little to no development.

Image

Fig. 6: Support scam page

The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity.

 

PopCash leading to fake sites, including medicine, tax debt relief, repair services, and adult sites

Image

Fig. 7: PopCash redirecting to fake sites that use the same page template

In another redirection iteration, we saw adult-themed sites and a fake medicine site claiming to be CNN.

Image

Fig. 8: Adult themed site and fake CNN page selling Viagra

 

Fake airlines

We also spotted fake airline sites using an identical template, contact number, and Google gtag.

Image

Fig. 9: Similar fake airline sites

The use of the nearly identical template means there is a scam kit being used to automatically generate their page content.

Image

Fig. 10: Template comparisons

The IP address 103.25.128[.]224 is hosting 70 or more of these fake airline sites.

Conclusion

Scam campaigns leveraging cheap domains such as .tk, .ga, .gq, .ml, .cf, and others have been on the rise for past few years now. Because registering such domains is very inexpensive, bad actors are doing bulk registrations for such domains and using them to generate revenue.

While some of these sites are poorly designed and obvious scams, others are sophisticated and look very much like the real brand. Always look at a site’s URL to make sure the site is legitimate before initiating communications or making any kind of transaction.

Zscaler ThreatLabZ is actively monitoring scamming sites and other threats to ensure coverage and will continue to share information on these campaigns.

IOCs

All scam domains involved in the above campaigns can be seen here.

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.