How Scammers Hide Their Websites Online: Methods and Examples

By Ava McKinneyOnline Safety

The Art of Disguise: How Scammers Hide Their Websites Online

When analyzing scam websites, it’s hard not to be amazed by the creativity of online fraudsters. Sometimes they offer you free pizza, sometimes fake cryptocurrencies. There are even sites that don’t look suspicious at first glance—they simply collect contact information to later scam everyone in their database. But before you can study a scam site in detail, you first have to find it. Let’s talk about the methods for searching and how scammers hide their resources on the internet.

How Scam Sites Are Discovered

Sometimes, a complaint about a suspicious site is submitted to a company or a bank’s cybersecurity department, which triggers an investigation. But let’s imagine a security specialist wants to find malicious sites proactively.

The simplest method involves these steps:

  • Download a list of domains registered in the last few months in the .ru zone from Domains.ihead.ru (the list includes domains registered in the last three months);
  • Look for domains similar to the official domains of major companies and banks;
  • Visit the site and see what’s there;
  • If a scam resource is found, submit a request to the registrar to block the domain, complain to the hosting provider, or set up a firewall to block such resources within your own network.

A more advanced option is to use custom or commercial scanners that automatically search the internet. However, even these methods don’t always work. Why is it sometimes so hard to find scam sites? There are several reasons.

Common Scam Site Hiding Techniques

1. Similar Spelling

If you filter all domains for the word “gaz,” you won’t find “gaazprom.ru,” but a tool like Dnstwist (available in Kali Linux or online at dnstwist.it or dnstwister.report) can help. Dnstwist generates different variations of a main domain and checks which ones are registered. For example, for the official “gazprom.ru,” it generated and checked 2,270 variants—38 of which were registered.

Dnstwist check results for gazprom.ru

Let’s check what’s actually on “gaazprom.ru”:

Example of scam site content

“14 spots left, act now!”—a classic scam tactic.

2. Subdomains

Sometimes, scanning the main site (like openstockinvest.cyou) shows nothing suspicious. But if you visit a subdomain (like hxxp://bussiness.openstockinvest.cyou), you might find a scam landing page.

Scam site on a subdomain

3. Domain Zones

Many only check domains in the .ru zone, missing sites registered in over 1,500 other domain zones. Even Dnstwist doesn’t generate all possible zones, so you might miss potential threats. To get all domains, you can download a list of 250 million registered domains from Domains-monitor.com (the service costs $7 for 24-hour access).

Domains-monitor.com service

4. Parasitic Hosting

Just like in nature, a virtual parasite uses someone else’s resources to survive and stay unnoticed. Often, a harmless site is hacked and a malicious page is uploaded to one of its subdirectories.

Hacked commercial website

5. “Neighbor” Sites

This method involves placing scam sites on “third-party” resources. For example, gatrade.turbo.site—a web page created using Yandex’s website builder.

Site created with Yandex website builder

Similarly, scammers use quiz platforms (online survey builders). Here’s an example of a scam survey on quizgo.ru (now inactive, but traces remain in Google):

Scam survey on quiz platform

6. “Internal” Pages

Another way scammers protect their sites from security scanners is by hiding the malicious page inside the site. For example, visiting hxxps://invest-it.live redirects you to Google, but the actual scam page is at hxxps://invest-it.live/russian-platform.

Scam resource in a site directory

7. Cloaking

Cloaking is the practice of showing different content depending on the visitor’s technical details. For example, if you visit hxxp://gazpromrekl.ru from a Ukrainian IP, you’ll see a scam site:

Scam site with cloaking

If you visit from any other IP, you’ll see a store selling cat houses:

Content changes based on visitor IP

Sometimes, the site even shows a web studio page for Russian IPs, suggesting the scammers are monetizing their skills in multiple ways. Cloaking is also used on social networks to bypass moderation. For example, a moderator from Europe or India visiting 5000-privitum-podarok.ru sees one site, while users from CIS countries see completely different content.

Different content for different IPs

Conclusion

The methods described above are just a few of the ways scammers hide their sites. There’s an entire business selling ready-made landing pages that copy well-known companies and banks, as well as affiliate programs designed for scams.

CPA affiliate program with scam landings

Therefore, the two most effective ways to fight scams are: technical blocking of what you can find (if you’re an IT/security specialist), and educating employees, relatives, and friends about information security. This “brain firewall” works much better than any technical solution alone.

Leave a Reply