The Latest in IT Security

Thousands/Millions of .tk sites created for fake online stores


While I was monitoring hijacked sites leading to fake online stores, I noticed a significant increase in .tk sites redirecting to via There are a number of interesting things going on with these .tk sites. First, the spammers have decided to create their own sites rather than hijacking existing sites with good reputation rankings. Doing a Google search, I found thousands of these sites:,,,,,, etc. There may be up to 6 million sites like this.  Most of the domains are registered by two entities: DOT TK and Malo Ni Advertising Limited (Isle of Man).

WHOIS information for offers free .tk domains and redirections, like, so it is is not surprising to see this service being abused.

Free .tk domain names

These .tk sites contain only spam, unlike hijacked sites, which contain both legitimate content and spam. They look all pretty much the same. The previous spam pages I saw were using only text, with no images. These sites look more like online stores, with images, and links to the actual fake stores

Spam page from

The fake online stores linked from these spam sites are the same as the fake stores that I saw earlier: same template, same translations into 5 languages, same discounts, etc:,, etc.

Fake store

Down …. but still there

About half of the .tk domains I’ve tried seem to be down. They redirect to, then to which seems to be a parking domain.

Domain parked on

It is very likely that the .tk domains were suspended by the registrar, and now redirect to to a parking domain where the registrar can make some money for it’s free service with the advertising.

These domains are not harming users anymore, since they redirect to a harmless advertising page instead of a fake store. But it is disappointing that they are still in Google’s index, and show up for queries related to buying software online. For example, Google displays more than 600 spam pages for the domain

The second take away is that these dead domains illustrate why it is more effective for the spammers to hijack existing sites rather than create their own. With their own spam sites, it is very easy for both the registrar and Google to take down the entire domain, but is is not likely that Google, or any other search engine, or for example that the registrar Educause is going take down because some sub-domains of their sites contain spam.

Protect yourself

Users can be warned when they visit a fake online store by installing the free Zscaler Safe Shopping add-on for Firefox, Safari, Chrome, Opera and Firefox Mobile.

— Julien

Leave a reply


MONDAY, JUNE 17, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments