Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Thousands/Millions Of .tk Sites Created For Fake Online Stores

image
JULIEN SOBRIER
September 15, 2011 - 3 Lesezeit: Min
While I was monitoring hijacked sites leading to fake online stores, I noticed a significant increase in .tk sites redirecting to searchdiscovered.com via domain.dot.tk. There are a number of interesting things going on with these .tk sites. First, the spammers have decided to create their own sites rather than hijacking existing sites with good reputation rankings. Doing a Google search, I found thousands of these sites: fidymarch.tk, isaftaho.tk, isaftaho.tk, jedkyosculit.tk, flicreuci.tk, meicatec.tk, etc. There may be up to 6 million sites like this.  Most of the domains are registered by two entities: DOT TK and Malo Ni Advertising Limited (Isle of Man).
 
Image
WHOIS information for isaftaho.tk

http://dot.tk/ offers free .tk domains and redirections, like co.cc, so it is is not surprising to see this service being abused.
 
Image
Free .tk domain names

These .tk sites contain only spam, unlike hijacked sites, which contain both legitimate content and spam. They look all pretty much the same. The previous spam pages I saw were using only text, with no images. These sites look more like online stores, with images, and links to the actual fake stores
 
Image
Spam page from cetescawin.tk

The fake online stores linked from these spam sites are the same as the fake stores that I saw earlier: same template, same translations into 5 languages, same discounts, etc: cheapoem.com.ua, discountsoftware.com.ua, etc.
 
Image
Fake store discountsoftware.com.ua
Down .... but still there

About half of the .tk domains I've tried seem to be down. They redirect to domain.dot.tk, then to searchdiscovered.com which seems to be a parking domain.
 
Image
Domain parked on searchdiscovered.com
It is very likely that the .tk domains were suspended by the registrar Dot.tk, and now redirect to to a parking domain where the registrar can make some money for it's free service with the advertising.

These domains are not harming users anymore, since they redirect to a harmless advertising page instead of a fake store. But it is disappointing that they are still in Google's index, and show up for queries related to buying software online. For example, Google displays more than 600 spam pages for the domain cetescawin.tk.

The second take away is that these dead domains illustrate why it is more effective for the spammers to hijack existing sites rather than create their own. With their own spam sites, it is very easy for both the registrar and Google to take down the entire domain, but is is not likely that Google, or any other search engine, or for example that the registrar Educause is going take down harvard.edu because some sub-domains of their sites contain spam.

Protect yourself

Users can be warned when they visit a fake online store by installing the free Zscaler Safe Shopping add-on for Firefox, Safari, Chrome, Opera and Firefox Mobile.

-- Julien
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.