That is what fraudsters are doing, by leeching unwanted domains on auction sites and redirecting visitors to malware-laden content.

When companies stop paying for a domain they have published, the latter is sometimes purchased by a service and then posted for sale on an auction site. Those who attempt to visit the inactive website are then redirected to the auction stub where they see that the domain is currently for sale—or at least they should be.

However, by substituting the stub with something else—such as a malicious link—fraudsters can create a cunning scheme for infecting users or generating profits at the users’ expense. Welcome to the world of recursive malvertising!

While investigating an ‘assistant tool’ for a popular online game, researchers at Kaspersky detected an attempt by the application to transfer them to an unwanted URL. It turned out that this URL had been listed for sale on an auction site. However, rather than redirecting to the correct stub site, this second-stage redirect was transferring users to a blacklisted page.

Further analysis soon uncovered around 1,000 websites put up for sale on various auction platforms and hacked to redirect visitors to undesirable content. At the second stage of redirect, these 1,000 pages transferred users to over 2,500 unwanted URLs. Many of these URLs cause the browser to download the Shlayer Trojan—a widespread MacOS threat that installs adware on the infected devices.

Between March 2019 and February 2020, 89% of these second-stage redirects went to ad-related pages, while 11% are malicious: users were either prompted to install malware or download infected MS Office or PDF documents; or the pages themselves contained malicious code.

It’s all about money

According to experts, the reasoning behind this cunning multi-layered scheme could be of a financial nature: fraudsters receive revenue for driving traffic to pages—both to those that are legitimate advertising pages and those that are malicious. This is what is known as malvertising.

One of the malicious pages uncovered, for example, received 600 redirects on average in just 10 days—most likely the criminals receive a payment based on the number of visits. In the case of Shlayer, those that distribute the malware received a payment for each installation on a device.

It is likely that the scam is the result of flaws in the ad filtering for the module that displays the content of the third-party ad network.

Said Dmitry Kondratyev, Junior Malware Analyst, Kaspersky: “Unfortunately, there is (not much) users can do to avoid being redirected to a malicious page. The domains that have these redirects were—at one point—legitimate resources, perhaps those the users frequently visited in the past. And there is no way of knowing whether or not they are now transferring visitors to pages that download malware.”

Adding to the challenge is: whether or not you land on a malicious site varies. If one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you may be sent to a page that downloads the Shlayer trojan. “In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device,” Kondratyev advised.