We’ve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too complicated. Recently, while examining the behavior of one not-so-new program, we discovered how links get converted into malicious ones.
Razor Enhanced, a legitimate assistant tool for Ultima Online, caught our eye when it started trying to access a malicious URL.
C# program code for installing an update
Since we didn’t find anything suspicious in the program code, it was clear that the problem was on the other side. Going to the site that the program had tried to access, we found a stub for a popular domain auction stating that the domain was up for sale. The WHOIS data told us that its owner had stopped paying for the domain name, and that it had been purchased using a service for tracking released domains, and then put up for sale on the auction site.
To sell a domain at auction, it must first be parked on the DNS servers of the trading platform, where it remains until being transferred to the new owner. Anyone who visits the site sees that stub.
Stub on the domain up for sale
Having observed this page for a while, we noticed that from time to time visitors who initially went to t ..
Support the originator by clicking the read the rest link below.
