This article originally appeared in Threat Post on September 5, 2018.
The campaign is believed to bring in close to $22,000 per month for bad actors.
A scam campaign involving “.tk” domains has been active since at least May 2018, redirecting unsuspecting users to fake blogger sites that are collectively bringing in close to $22,000 per month in advertising revenue.
“…lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption.”
The same actors have also been spotted running a tech-support scam in tandem, also using .tk domains.
The .tk suffix indicates a a top-level domain that’s supposed to stand for a country, like .ca (Canada) or .fr (France). In this case, it represents a tiny Pacific island nation called Tokelau, affiliated with New Zealand, which has a landmass consisting of four square miles and is home to about 1,300 people. It’s a place unlikely to be hosting a massive ad fraud campaign.
However, .tk domains are more than cheap, they’re free, making them very attractive for anyone globally who may be looking to stand up a fast web-attack infrastructure without caring about URL branding. Researchers at Zscaler in July found a network of thousands of .tk sites built to do just that.
The campaign first came to light when the team discovered a series of legitimate websites that had been compromised with redirection code: “Some of the compromised sites have plain-text injected redirection code, and many of them have packed and obfuscated injected redirection code,” the researchers noted in an analysis last Friday; interestingly, for some of the sites, the code doesn’t redirect for every hit; instead, redirection takes place when a random number “3” appears.
In all of these cases, they push visitors to web URLs with .tk suffixes, which then send them to either purported “blogger sites” or, in a variation on the theme, one of several fake tech-support sites that claim to remove viruses and urge visitors to call a number for help.
In all, 3,804 unique .tk domains implicated in the campaign have been found, some established as far back as May. Zscaler told Threatpost that a vast majority of them are involved in redirecting to fake blogger content and just a few of them are involved in the tech support scams.
For the blogger-site gambit, the researchers told Threatpost that the .tk infrastructure is being leveraged for either hosting the initial lure page or for intermediate redirect content. These URLs will lead to fake sites which may or may not be using .tk domains themselves.
The redirection URL changes each time, rotating between 72 fake blogging content sites with garbage site names like “braceletstartop”, “din9” or “jessica1”, all tied to the same IP address (162.244.35[.]55). The content is either plagiarized or spam content, and the sole purpose of the pages is showing ads. Zscaler noted that taking an average of $300 per month, revenue could be as high as $21,600. Traffic, the firm found, is increasing to these sites on a daily basis.
In other cases, the .tk campaign URL redirects to fake tech support websites displaying alert messages that ask users to call a given number for technical assistance. These scam URLs also all use nonsense nomenclature, like “wizenedrusty” and “savoirplaisir”. If users call the number, a human will attempt to take payment details.
“The campaign appears to be very simple but well thought out and already producing results in terms of revenue,” Zscaler told us. “We are not able to attribute this to a specific group yet.”
Zscaler researchers also said that traffic is steadily increasing to the scam sites; and the activity, as pervasive and growing as it seems to be, could be the tip of the atoll, so to speak, for the malefactors behind the scams.
“Over the last three months, this campaign has largely been redirecting users to fake blogger sites and tech-support scam sites, but it’s reasonable to assume that in the future, the campaign may start redirecting to phishing sites, exploit kit gates or any malicious site that can generate revenue in one way or another,” the team noted.
This seems like a fair conclusion given that there’s precedent: In fact, in July the sprawling Master134 malvertising campaign was found, involving at least 10,000 compromised websites and driving legions of web visitors around the world to exploit kits.
“Unfortunately, lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption,” said Chris Olson, CEO of the Media Trust, via email. “To combat traffic fraud, all digital players should police their digital partners and the code those partners execute in their digital ecosystem; ensure partners are adequately secure from malicious attacks; and continuously scan their digital ecosystems in real-time to identify and, when needed, terminate unauthorized code.”