loader gif

Threat actors use .tk redirects as front for new PushKa notification scam

Threat actors use .tk redirects as front for new PushKa notification scam
  • Cybercriminals behind this campaign rely on a combination of site redirects and push notifications to send spam ads to victims.
  • Disposable .info domains are used extensively in order to carry out this scam.

Security researchers from Sucuri have uncovered a new browser notification scam making rounds in the online space lately. Dubbed as ‘PushKa’, actors behind this campaign relied on .tk redirects, as well as used push notifications in browsers to entice users. This scam is said to be part of a number of traffic monetization schemes adopted by attackers from the past few years.

Worth noting

  • Sucuri researchers analyzed one of the landing pages from the campaign and found that it used a long chain of website redirects.
  • These redirects would ultimately lead to a fake reCAPTCHA page or a false news site with spam ads or a combination of both.
  • The fake reCAPTCHA page contains an “Allow” button which when clicked allows spammers to send push notifications to victims regardless of whether they visit the same site or not.
  • The malicious sites use a library called PushKaWrapper in order to work with push notifications.
  • It is reported that this scam campaign is active since last year.

Making money from spam traffic

PushKa campaign is an example of how attackers diversify their methods to gain maximum from traffic monetization through malicious sites.

“With push notification schemes like the one seen above, bad actors likely expect that a fraction of users will subscribe and get constantly spammed with browser notifications indefinitely, or until they figure out how to unsubscribe. As a result, they can expect more click-throughs for every visitor who is redirected from a compromised website,” Denis Sinegubko of Sucuri said.

loader gif