We classified the collected websites into 3 categories based on how a website acts when the user lands the page.
We observed these websites have been hosted statically without any redirection scripts or iframe embedded. All hyperlinks in the content were redirected to the URI /ping?s=[code] and via multiple sites to the eventual website, Bitcoin Future.
Type 2 websites appeared to be hacked websites with implemented maladvertising content or website. We observed that, except one, all type 2 websites were hosted with WordPress, an open-source PHP CMS system. This result raised our suspicions that these websites suffered vulnerable plugins that allowed hackers to exploit the WordPress system and to implement maladvertising page or to fully compromise the hosting server hosting the page. We do not know which plugin vulnerable or what vulnerability was being used as the exploitation entry as we do not have the authorization to scan or probe into the information. The following chart shows the percentage of type 2 websites using WordPress.
Unlike type 1 websites, all hyperlinks were redirected to another domain with the URI /click.php?lp=[number]. We believe these hyperlinks did not work in the same way as those in type 1 websites because hackers might not want to host the redirection page at a compromised website.
Type 3 websites also appeared to be hacked websites, however, they were without the maladvertising content. The content of these websites on first glance appeared to be unrelated to any cryptocurrency investment, or any copied contents from different other websites or web hosting server. Part of the collected data in type 3 is likely to have used a WordPress system. The following chart shows the percentage of type 3 websites using WordPress.
Similar to the limitations in type 2 websites, we cannot identify whether it is being exploited via WordPress vulnerabilities. We also cannot determine whether these type 3 websites had hidden malicious scripts running behind the static page to redirect specific users to another website or collect data from users.
Type 1 of websites use uncommon and new domain Top-Level Domain (TLD), .club and .info. These domains showed an interesting fact that the period between the registration date and last updated date pointed to planned action. A few of the domains were updated after 5 days of registration date and others appear to be after months but on the same day of the month. We suspect that these domains have been registered by hackers and remained to be updated for a lengthy time frame which acted as a “cooling down” period to avoid suspicious domain check by cybersecurity companies.
The domains in type 2 websites were registered for a longer period, and likely to have no fix pattern of cooling down period as it is found in type 1. All type 2 websites appeared to be hacked or compromised for spreading the maladvertising content.
3 of the 6 domains in type 3 websites were newly registered and within a cooling down period. Others appeared to be a compromised website and served copied contents. We are of the opinion that there are 2 possible outcome for these websites, 1) these websites have been compromised and are waiting out the observation period to ensure the webmaster doesn’t know the website has compromised, or 2) waiting out the cooling down period to avoid falling into the criteria being a suspicious newly created domain. Given the waiting required for these to happen, we do not have evidence to prove these suspects.
We observed that all hyperlinks in the maladvertising content have been redirecting to the same eventual landing page, Bitcoin Future.
Hyperlinks in type 1 websites were found to be redirected to the URI /ping?s=[code] under the same domain, then again redirecting to multiple websites. Before landing to the final landing page, we observed that the redirection must go via 2 websites, the first is https://track[.]trc10[.]com/tracker?c=[code] and the second is http://klikna[.]com/g3EFWc5k?c=[code]. The following screenshot shows the redirection flow of one sample.
We did not investigate these 2 websites as it is not part of the scope of our research. However, the redirection flow proves that these collected websites are involved in the same maladvertising campaign.
Hyperlinks in type 2 websites appear to be redirected to another domain with URI /click.php?lp=[number]. This page acted exactly the same as the hyperlinks in type 1, redirecting via multiple websites to the final landing site.
More articles about Maladvertisment campaign: