Scammers use .tk domains to create fake tech support, airline and medicine sites

[silversurfer]

Content source

https://cyware.com/news/scammers-use-tk-domains-to-create-fake-tech-support-airline-and-medicine-sites-713f2c2a

A new scam campaign has been found by researchers that leverages the use of .tk domains. Bad actors are using the domains to create fake sites and generate revenue.

What’s the matter - According to Zscaler, scammers are creating and registering fake domains in an attempt to scam people and generate revenue. Unlike the previous year where the scammers used fake domains to conduct tech support scam, the latest scam campaign redirects victims to a variety of fake websites.

This includes fake foreign exchange (forex), credit card and healthcare websites. All these domains end with .tk extension. There are more than 700 and 80 .tk domains hosted on the IP addresses 185.251.39[.]220 and 185.251.39[.]181 respectively. These sites are injected with malicious scripts responsible for malicious redirection chaining.

Different instances of fake websites - Researchers came across three different instances where scammers leveraged the pool of fake websites. In one instance, domain squatting was used to register a domain gmil[.]com - which looks similar to Google Mail. Scammers leveraged the site to conduct a Tech Support Scam.

“The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity,” wrote Zscaler researchers.

In another instance, PopCash, a leading advertising network was used to redirect users to fake adult-themed sites and a fake medicine site claiming to be CNN. Researchers also spotted a host of fake airline sites hosted on the IP address 103.25.128[.]224. These bogus sites used identical templates, contact numbers, and Google gtags.

The bottom line - Scam campaigns that use domains such as .tk, .ga, .gq, .ml, .cf, and others are on a rise over the past years. This is possible because registering such domains is very inexpensive. Security experts note that while some of these sites are poorly designed, others are sophisticated and look very similar to the real brand.

 

[Scorpion Illuminati]

Soon .tk domains are going to end up with the same fate as co.cc. I feel bad for the legitimate users.

 

[JM Safe]

“The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity,” wrote Zscaler researchers.

"microsft" is enough to understand is a fake Microsoft site, stay away from it!

Security experts note that while some of these sites are poorly designed, others are sophisticated and look very similar to the real brand.

That is bad, beginners who don't have much experience can be easily deceived. It's always important to check in a good way the website we are visiting, with services like VirusTotal and then decide if this website is legit or not. To be more sure about a certain website and view if it is legit or not sometimes should be enough to look at the certificate details of the site through the browser (to do that, if we are not sure, simply visit the link with a VM and VPN and all security measures)

Another important way to not land on those types of sites simply search directly the site we want to visit and click on the first results, this can prevent to visit fake websites; and always bookmark important pages to avoid landing on fake sites.

 

[Hollow]

My legit .tk websites also going to be affect