Many different methods are used by attackers to trick users and generate sources of revenue. In this case, they are leveraging the use of .tk domains. In this campaign, domains are being created that lead to multiple different sites that include fake foreign exchange, credit card, tech support, and healthcare pages. Malicious scripts were injected into over 700 sites linked to the IPs 185.251.39[.]220 and 185.251.39[.]181. Examples of these include an instance of domain squatting where the domain gmil[.]com was used to mirror Gmail in a Tech Support Scam effort. PopCash, an advertising network was also used to redirect users to adult pages and phony medical sites while portraying CNN. These campaigns that register domains with .tk, .ga, .gq, .ml, and .cf are being seen more frequently because they are cheap and while many can be identified as fake quickly, other are crafted very well and it is hard to differentiate between real and fake pages.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased