Tiny Island Atoll’s Domain Used in Widespread Ad Fraud

A scam campaign involving “.tk” domains has been active since at least May 2018, redirecting unsuspecting users to fake blogger sites that are collectively bringing in close to $22,000 per month in advertising revenue.

The same actors have also been spotted running a tech-support scam in tandem, also using .tk domains.

The .tk suffix indicates a a top-level domain that’s supposed to stand for a country, like .ca (Canada) or .fr (France). In this case, it represents a tiny Pacific island nation called Tokelau, affiliated with New Zealand, which has a landmass consisting of four square miles and is home to about 1,300 people. It’s a place unlikely to be hosting a massive ad fraud campaign.

However, .tk domains are more than cheap, they’re free, making them very attractive for anyone globally who may be looking to stand up a fast web-attack infrastructure without caring about URL branding. Researchers at Zscaler in July found a network of thousands of .tk sites built to do just that.

The campaign first came to light when the team discovered a series of legitimate websites that had been compromised with redirection code: “Some of the compromised sites have plain-text injected redirection code, and many of them have packed and obfuscated injected redirection code,” the researchers noted in an analysis last Friday; interestingly, for some of the sites, the code doesn’t redirect for every hit; instead, redirection takes place when a random number “3” appears.

In all of these cases, they push visitors to web URLs with .tk suffixes, which then send them to either purported “blogger sites” or, in a variation on the theme, one of several fake tech-support sites that claim to remove viruses and urge visitors to call a number for help.

In all, 3,804 unique .tk domains implicated in the campaign have been found, some established as far back as May.

Estimated traffic and ad revenue for one of the scam sites.

For the blogger-site gambit, the redirection URL changes each time, rotating between 72 fake blogging content sites with garbage site names like “braceletstartop”, “din9” or “jessica1”, all tied to the same IP address (162.244.35[.]55). Their sole purpose is showing ads, and Zscaler noted that taking an average of $300 per month, revenue could be as high as $21,600. Traffic, the firm found, is increasing to these sites on a daily basis.

In other cases, the .tk campaign URL redirects to fake tech support websites displaying alert messages that ask users to call a given number for technical assistance. These scam URLs also all use nonsense nomenclature, like “wizenedrusty” and “savoirplaisir”.

Zscaler researchers said that traffic is steadily increasing to the scam sites; and the activity, as pervasive and growing as it seems to be, could be the tip of the atoll, so to speak, for the malefactors behind the scams.

“Over the last three months, this campaign has largely been redirecting users to fake blogger sites and tech-support scam sites, but it’s reasonable to assume that in the future, the campaign may start redirecting to phishing sites, exploit kit gates or any malicious site that can generate revenue in one way or another,” the team noted.

This seems like a fair conclusion given that there’s precedent: In fact, in July the sprawling Master134 malvertising campaign was found, involving at least 10,000 compromised websites and driving legions of web visitors around the world to exploit kits.

“Unfortunately, lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption,” said Chris Olson, CEO of the Media Trust, via email. “To combat traffic fraud, all digital players should police their digital partners and the code those partners execute in their digital ecosystem; ensure partners are adequately secure from malicious attacks; and continuously scan their digital ecosystems in real-time to identify and, when needed, terminate unauthorized code.”