Security researchers from Kaspersky found that cybercriminals are using thousands of inactive domains to redirect users to malicious URLs. According to Kaspersky, cybercriminals kept 1,000 inactive websites for sale on auction platforms, which redirected the visitors to over 2500 malicious URLs. The URLs were designed to automatically download the “Shlayer Trojan,” a malware that tries to steal information from macOS computers. Between March 2019 to February 2020, 89% of these unwanted domains redirected users to ad-related pages and 11% redirected to malicious sites that contained a malicious script.
“We noticed that from time to time visitors who initially went to the now inactive website of the app developer did not land on the auction stub, but on a malicious resource. Next, we learned that the stub site redirects visitors not to a specific resource, but to different websites, including ones on partner networks. The type of redirect can vary depending on the country and user agent: When accessing from a macOS device, the victim might land on a page that downloads the Shlayer Trojan,” the researchers said.
“We checked the list of addresses from which Shlayer was downloaded and found that the vast majority of domain names had been put up for auction on the same trading platform. Then we decided to check the requests to the resource that Razor Enhanced users got redirected to, and found that around 100 other stubs on this trading platform sent their visitors to the same address. During the study, we found about 1,000 of these pages in total, but the real figure is probably much higher,” the researchers added. While the attackers behind this malicious campaign are unknown, researchers said that it can be an act of a well-organized network for financial gains.
Risks with Malicious URLs
Opening or downloading malicious links or attachments could result in severe security issues. A research from security firm NetMotion revealed that cyberthreats soared as remote workers visited risky websites outside of corporate networks. The analysis found that remote employees clicked on 76,440 links that redirected them to malicious websites. NetMotion highlighted that they collected a sample of network traffic data to find users who accessed blocked URLs or risky content. All these sites were visited on office laptops while working from home via home or public Wi-Fi or a data network.