Were You Taken Off To Tokelau? Welcome Back - We've Fixed The Redirect - Granite Grok

Were You Taken Off To Tokelau?
Welcome Back – We’ve Fixed The Redirect

Tokelau - Mostly Harmless
Tokelau – Mostly Harmless
.tk - NOT Harmless
.tk – NOT Harmless

Tokelau is one of the tiniest countries, with three coral atolls and 1500 people, but Tokelau’s web presence (.tk) is the third largest in the world, and it’s mostly malicious

Work proceeds apace on our new faster, sleeker ‘Grok, and our sincere thanks to all who helped make it possible, but the problems with the old site had become too intrusive to live with. Our hosting company had already rolled back the website to an older time, and Steve had to re-post a bunch of articles, but that was not enough, because, as Skip said, the older version of WordPress had vulnerabilities which were too easy to exploit.

After hours of poring over HTML and packet traces looking for the redirect to .tk domains, and a few more hours reading about common exploits, we found that core WordPress files were most likely corrupted, and that a commonly run JavaScript was the primary suspect for sending the instructions for your PC to travel to the South Pacific.

Good Fences Make Good Neighbors

Protected by Wordfence
Protected by Wordfence

All that reading and a high probability that built in WordPress scripts were corrupted, so what to do next? Several companies offer WP cleaning services and/or “firewalls,” and some are quite expensive. Word fence offers a free WP plugin, extra features for a modest price, and a cleaning service if needed. Furthermore, they have huge repository of “normal” files for many versions of WordPress and common plugins. They got great reviews, too. We picked the premium version and hoped not to need the extra time and expense of their cleaning service.

How did we do? So far, so good: three copies of a malicious file uploader, four core files with extra code in them (which we were sure were not our modifications), two malicious URLs in comments, one false positive, and some old plugins (not infected). The malicious file uploaders were deleted, the files with extra code were restored from Wordfence’s repository, the bad URLs removed from comments, and the false positive marked to be ignored in future.
Oh, and the redirects to Tokelau stopped cold!

Why you might want to visit Tokelau, but you would not want your device to visit .tk

Tokelau A beautiful tropical island paradise, and a dependency of New Zealand, with its own local democratic government. Three coral atolls in close proximity with gorgeous views, beaches, and waters. Needless to say, a relatively small GDP, and so the government decided to put its domain name, .tk, out for hire. From WikiPedia:

“Tokelau has increased its GDP by more than 10% through registrations of domain names under its top-level domain, .tk. Registrations can be either free, in which case the user owns only usage rights and not the domain itself, or paid, which grants full rights.”

And that’s where it gets interesting on the Web…

McAfee SiteAdvisor has pegged the South Pacific island of Tokelau as the most hazardous place in cyberspace. McAfee warned that a staggering 10 percent of pages ending in its “.tk” domain are malware infested and that there are one billion monthly visits to .tk sites that are not safe to surf. These sites may have content that includes spyware, spam, viruses, and browser-exploits.

Wandera.com notes that Dirt poor countries like Gabon (.ga), Mali (.ml), Central African Republic (.cf), and Tokelau (.tk) increase their web presence (and monetize it) through hot domain trading posts like freenom.com or intermediaries like BV Dot TK, where the only cost (requirement) for a free domain is that you use it. And boy, do they get used – botnet control sites, malware and phishing sites, exploit code host sites, and more. Registering domains the old fashioned way, costs money, but scam sites are every bit as fly by night as their operators, with sophisticated hackers getting through thousands, if not hundreds of thousands, of domains to spread their large-scale attacks.

It’s effectively a money and identity-laundering scheme, where the bad guys hide behind a veritable forest of domain names on the one end, the brokers like freenom skim off a little money in the middle, and the top-level domain owners, like Tokelau, can claim that they have regulations, and had no idea their valuable domain name was being used this way! (And I have a bridge in Brooklyn to sell you…)

Correction: An earlier version of this article noted that Skip had to “repost a bunch of articles.” It was actually Steve who had to do that.

>