Scammers are utilizing free .TK domains to redirect users from hacked sites to fake blogs created for the sole purpose of displaying advertisements or tech support scams.

This scheme works by attackers compromising web sites and installing scripts that redirect visitors through a series of sites. At the end of this redirect chain will either be a tech support scam stating that the computer is infected with the Zeus virus or a fake blog site that display popups ads that cannot be closed.

Example Tech Support Scam shown by redirects
Example Tech Support Scam shown by DotTK redirects

This scheme was discovered by the Zscaler ThreatLabZ research team who has been monitoring the scam for the past few months. When these sites are compromised, they will have plain-text or obfuscated JavasSript injected into web pages that perform a redirect to free DotTK domains as shown below.

Injected Script
Injected Script

These DotTK domains will then redirect the user to a final site that displays the payload. You can see a video demonstrating these redirects below and resulting payload of a fake blog site displaying ads.

Mohd Sadique, a security researcher for Zscaler, told BleepingComputer that it is not known what methods are currently being used to compromise the sites. Based on the urls shared with BleepingComputer, it may be through Wordpress vulnerabilities.

This scam could be making 20k per month

According to researchers, these campaigns continue to see increased activity, and with all of the sites combined, could be making the actors a lot of money.

"Based on our analysis of this campaign data till now, we are estimating at least 20K+ USD per month in revenue being generated from Ad Fraud activities alone." stated Mohd Sadique, a security researcher for Zscaler.

Based on their research, each site is earning an average of $300 per month. When you combine that with the 72 known active .TK domains, that would bring in over 21k.

"If we consider that the average monthly advertising revenue from one website is $300, we can extrapolate that for 72 domains, the monthly revenue could be as high as $21,600." Sadique further stated.

Malicious Chrome extension registered free TK domains

All of the .tk domains that I looked at appear to have been registered using the Freenom domain registration service. This same service was used by a malicious extension in 2017 to register free domains utilizing a victim's Gmail accounts.

This extension would utilize Chrome and saved Gmail credentials to register numerous free domains under the victim's email address.

Registere Domains
Free domains registered by malicious extension

When BleepingComputer discovered this malicious extension registering free domains and sending them to a command & control server, it was not known what these domains were being used for. It does show how an attacker can automate the registration of domains using a victim's credentials and IP address to make it harder to track down the attacker.

Related Articles:

Thousands of Compromised WordPress Sites Redirect to Tech Support Scams

Scammers Ride on Popular Vote411 Voter Info Site to Push Scareware Alerts

McAfee Tech Support Scam Harvesting Credit Card Information

Scammers Use Facebook Sharer Page to Push Tech Support Scams

Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day