Hackers have begun using a new tactic to spread malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to bring visitors to malicious websites in a form of malvertising attacks.

Malvertising classified as the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites.  Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will bring users to a legitimate website, but hackers often sneak malicious code into these adverts. Visiting the link will result in the user being sent to a website hosting an exploit kit or phishing form. In some instances, ‘drive-by’ malware downloads take place without any user interaction, simply if the web content loads and the user has a susceptible device.

The new tactic leverages domains that have expired and are no longer active. These websites may still be listed in the search engine browser result pages for key search terms. When user enters a search and clicks the link or uses a link in their bookmarks to an earlier visited website, they will arrive at a landing page that explains that the website is no longer active. A lot of the time that page will include a series of links that will direct the visitor to related websites.

What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many existing links to the website, which is better than starting a brand-new website from scratch. These expired domains are then sold to the highest bidder. Experts at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that bring visitors to malicious websites.

When a visitor lands on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study showed that almost 1,000 domains that had been listed for sale on a popular auction site, which brought visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to spread the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan places adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.

These domains were once genuine websites, but are now being used for malicious purposes, which makes the threat hard to prevent. In some instances, the sites will display different content based on where the user is located and if they are using a VPN to log on the internet. These websites change content frequently, but they are indexed and categorized and if ruled to be malicious they are added to real time block lists (RBLs).

A web filtering solution like WebTitan can add protection from malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being linked the user will be directed to a local block page, addressing the threat. WebTitan can also be configured to block downloads of risky file types from these web pages.

Many groups have put in place firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a vulnerability in their security protections and web-based threats are not effectively tackled. WebTitan allows groups to plug that gap and control the websites that can be accessed by staff.

For more information on WebTitan and filtering the internet, contact the TitanHQ.