Week 13: More than just an empty website – the business model that exploits abandoned domains

04.04.2023 - There may be more to an empty website than meets the eye, as shown by a case reported to the NCSC last week. Some Java script on an empty website redirected the visitor to a dubious website, but only if the original website had been accessed via a search engine or social media pages. Cybercriminals systematically take over abandoned domains, especially those with a trustworthy reputation and thus a good search engine ranking, and try to deliberately redirect visitors to dubious advertising websites in order to then make money using various tricks.

Predators set their sights on abandoned domains

Many domain owners are familiar with the problem: they own domains that are actually no longer needed and consider cancelling them because they incur annual fees. However, very few people think about the fact that, after cancellation, anyone can register the domain again and place whatever content they want on it. In the past, the NCSC repeatedly received reports in which former domain owners complained that dubious webshops or websites with adult content were being displayed under their old website's URL. The main targets are domains that have a small following, but one that is nonetheless interesting for attackers. They exploit the ranking acquired by the original websites in search engines. If a relevant search term is entered, the attackers' newly resurrected website is displayed together with its content in the usual place in the search engine ranking, rather than the original site.

A number of allegedly fraudulent websites were reported to the NCSC again last week. What was striking here is that all of the domains were registered to the same company, and the initial registration dated back quite some time. There was thus reason to suspect that in this case, too, the websites' reputation was being used to advertise fraudulent products. In actual fact, it quickly transpired that all of the domains had recently changed hands.

Simply an empty website – or something more sinister?

When the dubious website was accessed directly, there was nothing suspicious at first glance, just an empty page. A more in-depth analysis by the NCSC revealed that there was much more behind the page. A look at the source code revealed JavaScript commands that check the so-called referrer, i.e. the link that was used to open the page. If the website is accessed via a common search engine or social media pages, the victim is redirected to a bogus website. If the website is accessed from a domain not listed in the script or if the address is entered directly in the browser's address bar, nothing is displayed or just the empty website.

Piece of Java script that redirects visitors to the sub-page only when accessing via search engines and social media pages; the pages that redirect are listed in the script
Piece of Java script that redirects visitors to the sub-page only when accessing via search engines and social media pages; the pages that redirect are listed in the script

Division of labour and "redirection" business model

The bogus website redirects visitors to a website that advertises a shady investment offer. The aim is to bring as many potential victims as possible to the website and trick them into making an "irresistible" investment. The advertising website itself refers to the German-language version of the TV show Dragons' Den (Höhle der Löwen) and claims that the investment method is so good that the broadcaster is not allowed to transmit the show.

Advertisement for dubious investment offers; reference is often made to the German-language version of the TV show Dragons' Den (Höhle der Löwen). The link shows the ID of the website from which the visitor was redirected
Advertisement for dubious investment offers; reference is often made to the German-language version of the TV show Dragons' Den (Höhle der Löwen). The link shows the ID of the website from which the visitor was redirected

The link on the "advertising website" reveals the business model: it shows the ID of the website from which the visitor was redirected. The rogue "advertisers" can thus determine which page generated the click and remunerate it accordingly. So in addition to earning as much money as possible, the current owners of the previously abandoned domain are also trying to recoup the registration fee.

The procedure is a perfect example of the division of labour: while one group creates the advertising websites with shady investment offers, others try to generate as many clicks as possible on these websites. The investment fraud itself is then carried out by another group.

Recommendations:

  • Be aware that a defunct domain (the website's registered name) can be reserved and potentially used fraudulently by other people.

  • If you want to close down a domain, check to see whether it has achieved a certain ranking in search engines. If you keep the domain for a while but do not put any content on it, it will automatically lose its ranking and become unattractive.

Last modification 04.04.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_13.html