Say I'm running a SaaS product, example.com.
Somebody has bought several domains like getexample.com, buyexample.io, joinexample.net, and is 301 redirecting them to example.com.
What's their play here? Is this setup for a phishing attack in the future? Are they just going to try and sell the domains to me in the future? Not encountered behaviour like this before (or at least, I don't know if this is the beginning phase of a common scam)
- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.
- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.
- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.
- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.
A 301 fits that bill because then the owners browser even when traveling will serve the good content
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)
If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.
There's a related site compromise where a hacked webserver behaves normally except, when the referrer is google.com, it adds a JavaScript redirect to the end of any page.
You go to example.com, everything looks normal. You click a link to example.com, you end up on a page selling herbal dick pills. Site owner yells at Google thinking it's their fault. Googlebot never gets served the redirect.
You should be able to do the same thing with 301 redirects.
OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.
1) set up plausibly-named fake domains that redirect to example.com
2) ensure that the fake domains rank higher than the original domain for "example" searches.
3) after a while, people have gotten used to accessing the service through the fake domains or might even think those are the official domains.
4) pull up the net by replacing the redirect with phishing pages. Suddenly, everyone googling for the service will end up on a phishing site, without any obvious way to fix the situation.
Phishers could also run this scheme for lots of sites in parallel, without needing to have some specific interest in any of them.
Edit: Seems like the semantics of the 301 redirect should prevent this from working though.
Then they build links to their domains. Once it has more backlinks than the real domain, the redirect is removed.
- Reaching out in good-faith with an offer to sell the domain to you. I've had that happen in the past and before receiving the email the person directed the domain to my official website to show good will. I purchased the domain and now own it.
Not saying this is the case here, but just wanted to throw a legitimate scenario into the mix. They should have reached out by now if this was the case.
Then they send an invoice…
I think this was a common attack vector around then, but is no longer common.
Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....
The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.
Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.
IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
The Cloudflare redirect likely has GoDaddy underneath, based on what’s visible at myEXAMPLE.com/lander and others.
Half of the domains are set for Outlook Mail, the other for Google Mail which points to a potential email game.
It doesn’t make things safer that your brand name is a top-400 frequency word in one of the European languages. Not owning your .com and having a dozen businesses with similar names just compounds the risk.
What to do really depends on the specifics of your case, including trademark and competition factors. If you’re stuck, feel free to ping me at aghackernews [at] gmail.
There was a humanitarian charity I've donated to, and I saw people erroneously linking to the wrong URLs when spreading news of it. (Say, `foobar.org` and `boofar.com` when the charity is at `boofar.org`.)
So, I just bought the URLs and had them redirect to the correct URL, before a bad actor could snap them up.
They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en