Researchers say they have long been paying attention to links under old YouTube videos or on Wikipedia articles, which at some point became malicious and started leading to affiliate program pages, phishing sites or malware downloads. It seemed that the attackers purposely bought domains, but such a scenario always seemed too complicated for specialists.
After examining the behavior of the legitimate assistant program for Ultima Online, Razor Enhanced, when it suddenly began to access a malicious URL, the researchers finally managed to figure out how this scheme works.
Since nothing suspicious was found in the code of the program itself, it became clear that the problem was on the other side. Going to the site that Razor Enhanced was contacting, experts found there a stub of one of the popular domain auctions, stating that this domain can be purchased. After examining the WHOIS data, they learned that the domain owner did not pay for the domain name, and it was purchased using a service that tracks back-up domains, and then put up for sale on the auction site.
So, in order to sell a domain at auction, it must first be parked on the DNS servers of the trading platform, where it will be located until the transfer to the new owner. Those who try to enter the site will see that very stub.
After observing this page, experts noticed that from time to time a visitor who initially visits an already inactive website of an application’s developer didn’t get to the auction plug, but to a malicious resource (which, in fact, happened to the Razor Enhanced program when she decided to check for updates ) Further it turned out that the stub site redirects the visitor not to any specific resource, but to different sites. Including affiliate network sites. Moreover, the type of redirect may vary depending on the country and User-agent: when entering from a device with macOS, the victim has a chance to go to the page from which the Shlayer Trojan is downloaded.
After checking the list of addresses from which Shlayer was downloaded, analysts found that most of the domain names were auctioned on the same trading platform. Having decided to check requests to one of the resources to which Razor Enhanced users redirected, experts found that about a hundred more plug-ins of the same trading platform send their visitors to the same address.
In total, about 1000 such pages were found during the study, but researchers notice that in fact there can be many more. In total, from the thousands of redirect pages found, they went to more than 2500 unwanted sites.
In the period from March 2019 to February 2020, 89% of the sites where requests from the stub pages were redirected were advertising. The remaining 11% represented a much more serious danger: there the user was offered to install malware, download malicious MS Office documents, PDF documents with links to fraudulent resources, and so on.
Researchers suggest that one of the revenue items of the attackers behind this campaign is making money by generating traffic to the pages of affiliate programs, both advertising and malicious. For example, on one of these resources in ten days (on average) about 600 redirect requests from programs that, like Razor Enhanced, try to access the developer's site, are made. In the case of the Shlayer Trojan, payment was apparently made for each installation.
According to experts, it is most likely that a module demonstrating the content of a third-party ad network is responsible for malicious redirects. Malicious traffic could appear due to the lack of filtering of advertisements or the use by attackers of vulnerabilities in the advertising module (or the trading platform itself) in order to change settings and substitute redirects.
To summarize, the researchers write that they probably came across a rather ingeniously organized (and, presumably, managed) network that can "pour traffic" onto the resources of attackers, using redirects from legitimate domain names and the resources of one of the largest and oldest domain auctions (name not disclosed).
“This is a complicated scheme, because the domains themselves that are used by cybercriminals are legitimate, and some visitors can access them by typing in an address from memory, and also by clicking on the link in the“ About the program ”window of the application used or by finding them using search systems. It’s impossible to find out in which cases redirection will go to pages that download malware, and the user cannot prevent dangerous clicks on their own without the help of a protective solution, ”says Dmitry Kondratyev, an expert on cyber security at Kaspersky Lab.