Many different methods are used by attackers to trick users and generate sources of revenue. In this case, they are leveraging the use of .tk domains. In this campaign, domains are being created that lead to multiple different sites that include fake foreign exchange, credit card, tech support, and healthcare pages. Malicious scripts were injected into over 700 sites linked to the IPs 185.251.39[.]220 and 185.251.39[.]181. Examples of these include an instance of domain squatting where the domain gmil[.]com was used to mirror Gmail in a Tech Support Scam effort. PopCash, an advertising network was also used to redirect users to adult pages and phony medical sites while portraying CNN. These campaigns that register domains with .tk, .ga, .gq, .ml, and .cf are being seen more frequently because they are cheap and while many can be identified as fake quickly, other are crafted very well and it is hard to differentiate between real and fake pages.
Analyst Notes
It is recommended that users take advantage of Malwarebytes browser extension which is a free system that can warn users of suspicious activity. If these sites are still visited after a Malwarebytes alert is received it is heavily advised to be careful of the activity that is carried out on the page.
