Kaspersky's latest investigation reveals that the practice of malvertising has returned to power. Experts have discovered about 1,000 inactive web domains for sale on various auction platforms that redirect users to malicious addresses. When accessing one of the 2,500 URLs, Internet users can infect their equipment with the Shlayer trojan.
Sometimes, web domains are purchased through services and sold at auction when companies stop paying for them. When trying to access a sold page, users are redirected to the auction platform. However, cybercriminals can create a scheme to infect users, or even generate profits at their expense, by replacing code fragments with malicious links.
In analyzing Razor Enhanced, an assistive tool in the popular Ultima Online game, Kaspersky researchers found that the application was trying to redirect users to malicious URLs. The reason? The hyperlink was on sale at an auction site and its code had been infected by cybercriminals.
The analysis found that the vast majority of URLs downloaded the Shlayer trojan, a widespread macOS threat that installs adware on infected devices and is distributed over web pages with malicious content.
In all, between March 2019 and February 2020, 89% of redirects were made to pages related to advertising. J 11% were malware: the pages themselves contained malicious code, or asked users to install software that, after all, was not as benign as it seemed, or to download infected MS Office or PDF documents.
Kaspersky explains that the reasons behind the scheme may be of financial origin, since hackers profit from driving traffic to pages. For example, one of the discovered pages received, on average, 600 redirects in 10 days, and it is likely that criminals will receive a payment based on the number of visits generated.
In the case of the Shlayer trojan, the hackers who distribute it received a payment for each installation on a device. Researchers estimate that the scheme is still the result of a failure to filter the module's ad that displays the content of the third-party ad network.
It is true that the risk of infection by Trojans can be reduced by installing programs and updates only from trusted sources and by resorting to reliable security solutions, however, Dmitry Kondratyev, Kaspersky's junior malware analyst, says that users can do too little to not be redirected to a malicious page.
The analyst indicates that there is no way of knowing whether domains that have this type of redirection are transferring visitors to pages that download malware. The access to a malicious website itself can vary: for example, if one day, this access is made in Russia, nothing happens. However, if you later try to access the same site with a VPN, you can be sent to a page that downloads the Shlayer trojan.