We classified the collected websites into 3 categories based on how a website acts when the user lands the page.
Content
We observed these websites have been hosted statically without any redirection scripts or iframe embedded. All hyperlinks in the content were redirected to the URI /ping?s= and via multiple sites to the eventual website, Bitcoin Future.
Type 2 websites appeared to be hacked websites with implemented maladvertising content or website. We observed that, except one, all type 2 websites were hosted with WordPress, an open-source PHP CMS system. This result raised our suspicions that these websites suffered vulnerable plugins that allowed hackers to exploit the WordPress system and to implement maladvertising page or to fully compromise the hosting server hosting the page. We do not know which plugin vulnerable or what vulnerability was being used as the exploitation entry as we do not have the authorization to scan or probe into the information. The following chart shows the percentage of type 2 websites using WordPress.
Unlike type 1 websites, all hyperlinks were redirected to another domain with the URI /click.php?lp=. We believe these hyperlinks did not work in the same way as those in type 1 websites because hackers might not want to host the redirection page at a compromised website.
Type 3 websites also appeared to be hacked websites, however, they were without the maladvertising content. The content of these websites on first glance appeared to be unrelated to any cryptocurrency investment, or any copied contents from different other websites or web hosting server. Part of the collected data in type 3 is likely to have used a WordPress system. The following chart shows the percentage of type 3 websites using WordPress.
Similar to the limitations in type 2 websites, we cannot identify whether it is being exploited via WordPress vulnerabilities. We also cannot determine whether these type 3 websites had hidden malicious scripts running behind the static page to redirect specific users to another website or collect data from users.
Domain
Type 1 of websites use uncommon and new domain Top-Level Domain (TLD), .club and .info. These domains showed an interesting fact that the period between the registration date and last updated date pointed to planned action. A few of the domains were updated after 5 days of registration date and others appear to be after months but on the same day of the month. We suspect that these domains have been registered by hackers and remained to be updated for a lengthy time frame which acted as a “cooling down” period to avoid suspicious domain check by cybersecurity companies.
The domains in type 2 websites were registered for a longer period, and likely to have no fix pattern of cooling down period as it is found in type 1. All type 2 websites appeared to be hacked or compromised for spreading the maladvertising content.
3 of the 6 domains in type 3 websites were newly registered and within a cooling down period. Others appeared to be a compromised website and served copied contents. We are of the opinion that there are 2 possible outcome for these websites, 1) these websites have been compromised and are waiting out the observation period to ensure the webmaster doesn’t know the website has compromised, or 2) waiting out the cooling down period to avoid falling into the criteria being a suspicious newly created domain. Given the waiting required for these to happen, we do not have evidence to prove these suspects.
Embedded Script
In type 1 websites, we observed only 1 JavaScript in the static maladvertising page. This script appears to be identical in the content of all collected maladvertising website. It is used for dynamically updating the blog post date to visit date.
In type 2 websites, we observed that most of the websites have injected JavaScript above of the original page source code. We suspect that this happened because the hacker has compromised the WordPress system and injected the malicious JavaScript into the WordPress blog post PHP function. This seems to be the same technique, Traffic Distribution System (TDS) used in another WordPress hacking scene as well. The TDS is crafted by the hacker to redirect users from the compromised page to a crafted malicious landing page. The injected script is usually designed to redirect users with specific rules, for example, a user who first time arrives the website only. It is also being crafted to avoid being further analyzed or extracted by cybersecurity experts. It sometimes redirects the user to the landing website via multiple websites with different domains to avoid deep tracing by experts. The websites in between the redirections are likely compromised websites as well. In other TDS researches carried by many experts show that compromised websites with TDS script are usually running WordPress and the compromise is due to vulnerable plugins installed.
In type 3 websites, we observed no injected JavaScript, however, we cannot confirm whether these websites have injected code in the server backend due to the nature of TDS.
Hyperlink Redirection
We observed that all hyperlinks in the maladvertising content have been redirecting to the same eventual landing page, Bitcoin Future.
Hyperlinks in type 1 websites were found to be redirected to the URI /ping?s= under the same domain, then again redirecting to multiple websites. Before landing to the final landing page, we observed that the redirection must go via 2 websites, the first is https://track<.>trc10<.>com/tracker?c= and the second is http://klikna<.>com/g3EFWc5k?c=. The following screenshot shows the redirection flow of one sample.
Figure 3 Screenshot of redirection flow
We did not investigate these 2 websites as it is not part of the scope of our research. However, the redirection flow proves that these collected websites are involved in the same maladvertising campaign.
Hyperlinks in type 2 websites appear to be redirected to another domain with URI /click.php?lp=. This page acted exactly the same as the hyperlinks in type 1, redirecting via multiple websites to the final landing site.
More articles about Maladvertisment campaign:
Comments