loader gif

Scammers use .tk domains to create fake tech support, airline and medicine sites

Scammers use .tk domains to create fake tech support, airline and medicine sites
  • Illicit actors are using .tk domains to create fake sites and generate revenue.
  • There are over 700 and 80 .tk domains hosted on the IP addresses 185.251.39[.]220 and 185.251.39[.]181 respectively.

A new scam campaign has been found by researchers that leverages the use of .tk domains. Bad actors are using the domains to create fake sites and generate revenue.

What’s the matter - According to Zscaler, scammers are creating and registering fake domains in an attempt to scam people and generate revenue. Unlike the previous year where the scammers used fake domains to conduct tech support scam, the latest scam campaign redirects victims to a variety of fake websites.

This includes fake foreign exchange (forex), credit card and healthcare websites. All these domains end with .tk extension. There are more than 700 and 80 .tk domains hosted on the IP addresses 185.251.39[.]220 and 185.251.39[.]181 respectively. These sites are injected with malicious scripts responsible for malicious redirection chaining.

Different instances of fake websites - Researchers came across three different instances where scammers leveraged the pool of fake websites. In one instance, domain squatting was used to register a domain gmil[.]com - which looks similar to Google Mail. Scammers leveraged the site to conduct a Tech Support Scam.

“The page microsft0x8024f0059rus[.]ml is hosted on 216.10.249[.]196, which is hosting over 400 .ga, .cf, .gq, .ml, and .tk domains; all are involved in Microsoft tech support scam activity,” wrote Zscaler researchers.

In another instance, PopCash, a leading advertising network was used to redirect users to fake adult-themed sites and a fake medicine site claiming to be CNN. Researchers also spotted a host of fake airline sites hosted on the IP address 103.25.128[.]224. These bogus sites used identical templates, contact numbers, and Google gtags.

The bottom line - Scam campaigns that use domains such as .tk, .ga, .gq, .ml, .cf, and others are on a rise over the past years. This is possible because registering such domains is very inexpensive. Security experts note that while some of these sites are poorly designed, others are sophisticated and look very similar to the real brand.

loader gif