Parked domains, which act as aliases and redirect to other websites, can send visitors to malicious or unwanted landing pages or turn entirely malicious at any point in time – as evidenced by a recent Emotet campaign, a separate effort abusing Comcast and McAfee brands, and an election-themed attack.
Researchers at Palo Alto Networks in an analysis on Thursday noted that domain-parking usually happens in the service of advertising. If someone is searching for “Bread Depot,” (a fictitious example, by the way), the person may end up on Bread Depot.net instead of the official BreadDepot.com, because it popped up in the search results. And if BreadDepot.net is a parked domain that was created in hopes of people making that mistake, it could redirect visitors to a page full of ads in order to drive impressions.
“Parking services either show users a list of ads (and get paid based on the number of user clicks on these ads) or redirect users automatically to the advertisers’ webpages (and get paid based on the number of user visits),” according to Palo Alto Networks. “Often, the parking services and the advertisement networks do not have the means or willingness to filter abusive advertisers (i.e. attackers). Therefore, users are exposed to various threats, such as malware distribution, potentially unwanted program (PUP) distribution and phishing scams. In our experience, we most frequently observe the distribution of grayware.”
That’s shady enough, but sometimes, parked domains are crafted to be malicious from the get-go.
As an example, Palo Alto Networks laid out a domain-parking campaign that was used as part of a global Emotet initiative. Emotet is a trojan that acts as a first-stage malware, capable of fetching and downloading a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.
In this campaign, a domain called valleymedicalandsurgicalclinic[.]com, which is no longer active, redirected visitors to a malicious page that delivered Emotet. The domain was one of many being used around the world, researchers said, serving up attacks against organizations in various industries (such as education, government, energy, manufacturing, construction and telecommunications), including in France, Italy, Japan, Korea, the U.K. and the U.S.
As mentioned, parked domains usually host or redirect to lists of ads. Such is the case with the still-active domain peoplesvote[.]uk, which claims to be related to the U.S. presidential election. While visiting peoplesvote[.]uk, users are presented with an ad-listing page most of the time. Randomly however, some visitors are sent to a page that hosted an exploit-kit script, before being redirected again to a survey website asking about users’ voting preference between Joe Biden or Donald Trump.
“The exploit-kit script hosted on 0redira[.]com/jr.php fingerprints the browser silently to track users’ web activity and hides the landing URLs to prevent security companies and researchers from analyzing and blocking them,” according to Palo Alto Networks’ analysis, released Thursday.
In yet another case, a still-active typoquatted domain, xifinity[.]com, closely mimics the spelling of Comcast’s xfinity.com website for residential cable customers. When users attempt to visit the real (and highly trafficked) Xfinity website, but accidentally mistype an additional “i,” they’ll be redirected to a suspicious landing page that purports to be owned by McAfee. That page, antivirus-protection[.]com-123[.]xyz, is also still active.
“The landing page tries to fool users into believing that their machine is infected and that their McAfee subscription has expired,” explained the researchers. “Clicking on the ‘Proceed’ button will redirect users to a legitimate McAfee download page offering an antivirus subscription. We believe that attackers are abusing McAfee’s affiliate program to steal ad revenue.”
In looking further into the volume of parked domains out on the web, Palo Alto Networks found that 27,000 newly parked domains are on average identified daily. Overall, the firm has identified 5 million newly parked domains in the past six months.
In the same time frame, the firm observed that 6 million parked domains have transitioned in terms of their classification. For instance, 1 percent were flagged as being malicious (known to host phishing or malware campaigns) after being classified as benign; almost 3 percent changed to not-safe-for-work categories (such as adult or gambling); and 31 percent were changed to being deemed “suspicious.”
Researchers noted that security best practice for enterprises is to keep close track of parked domains, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.
Hacker’s Put Bullseye on Healthcare: On Nov. 18 at 2 PM EDT find out why Hospital are getting hammered by ransomware attacks in 2020. Save Your Spot for this FREE webinar on “Healthcare Cybersecurity Priorities” and hear from security leading voices on how Data Security, Ransomware and Patching need to be a priority for Every Sector and why. Join us Wed, Nov. 18, 2-3 PM EDT for this LIVE limited engagement webinar.