Security News Nearly 200,000 Parked Domains Used to Show Rogue Ads, Hijack Traffic

[Exterminator]

Security researchers from Sucuri have uncovered a new method through which some companies with questionable practices are making money by inserting unwanted ads on other sites, or even hijacking their entire traffic.

This tactic revolves around the usage of parked domains, which are Internet domains that are not associated with a current service, but registered for future development, reselling, or registered to protect against cyber-squatting by non-copyright holders.

Chinese company spent millions to buy nearly 200,00 domains
According to Sucuri, a company named China Capital Investment Limited (CCI) has been re-registering expired domains that have a large number of backlinks. Backlink is a term used for when your site's content is embedded and linked from the content of other sites.

Sucuri says that CCI has registered 196,879 domains, which it parked as soon as it registered them. The company has spent nearly $2 million to register the domains and is apparently using some a script that looks for backlinks to the parked domains.

If the script detects an image, it replies back with an ad. For example, if you found a cool picture online and decided to embed in your site using its link (former-site.com/image.png), after the domain expired, the image would stop working.

When CCI buys the former-site.com domain and parks it, its malicious script will continue to answer to the image requests, but instead of the original picture, it would serve an ad.

CCI accused of hijacking a website's entire traffic
The same thing happens with JavaScript files. If, for example you used a .js file hosted on another site, which in the meantime expired and was acquired by CCI, the former domain would serve malicious JS code that would redirect all of your traffic to the parked domain, where it would show ads, for CCI's own benefit.

Besides making money from hijacking image and JS backlinks via parked domains, CCI is also selling the acquired domains on domain marketplaces, in an attempt to generate as much money as possible from its questionable business model.

While not many people normally link to JS files on other sites, there are quite a lot of bloggers and news sites that embed images on their sites from other sources.

These users are now in the position of unwittingly serving unwanted ads to their users and helping CCI boost its profits. Below is an image showing the type of ads CCI serves via its parked domains.

 

[DardiM]

Thanks for this share

Cleaver method

 

[jamescv7]

Thanks to adblockers since they are highly active to kill contents which may link to malicious content.

Some AV's tend to bypass nor automatic upload for further analysis.