Scammers are utilizing free .TK domains to redirect users from hacked sites to fake blogs created for the sole purpose of displaying advertisements or tech support scams.
This scheme works by attackers compromising web sites and installing scripts that redirect visitors through a series of sites. At the end of this redirect chain will either be a tech support scam stating that the computer is infected with the Zeus virus or a fake blog site that display popups ads that cannot be closed.
This scheme was discovered by the Zscaler ThreatLabZ research team who has been monitoring the scam for the past few months. When these sites are compromised, they will have plain-text or obfuscated JavasSript injected into web pages that perform a redirect to free DotTK domains as shown below.
These DotTK domains will then redirect the user to a final site that displays the payload. You can see a video demonstrating these redirects below and resulting payload of a fake blog site displaying ads.
Mohd Sadique, a security researcher for Zscaler, told BleepingComputer that it is not known what methods are currently being used to compromise the sites. Based on the urls shared with BleepingComputer, it may be through Wordpress vulnerabilities.
According to researchers, these campaigns continue to see increased activity, and with all of the sites combined, could be making the actors a lot of money.
"Based on our analysis of this campaign data till now, we are estimating at least 20K+ USD per month in revenue being generated from Ad Fraud activities alone." stated Mohd Sadique, a security researcher for Zscaler.
Based on their research, each site is earning an average of $300 per month. When you combine that with the 72 known active .TK domains, that would bring in over 21k.
"If we consider that the average monthly advertising revenue from one website is $300, we can extrapolate that for 72 domains, the monthly revenue could be as high as $21,600." Sadique further stated.
All of the .tk domains that I looked at appear to have been registered using the Freenom domain registration service. This same service was used by a malicious extension in 2017 to register free domains utilizing a victim's Gmail accounts.
This extension would utilize Chrome and saved Gmail credentials to register numerous free domains under the victim's email address.
When BleepingComputer discovered this malicious extension registering free domains and sending them to a command & control server, it was not known what these domains were being used for. It does show how an attacker can automate the registration of domains using a victim's credentials and IP address to make it harder to track down the attacker.