Access to Information, Duke University, and The Media Trust: February Update

In the third week of November 2020, The Duke-Sanford and Media Trust research team observed a peculiar spike in undesired third-party code. Of the 674 malware impressions from that week, 630 of them rendered from an abandoned domain on a popular news website. An abandoned domain is a unique security risk relative to the typical adware campaigns that our team observes. These domains are the remnants of previously owned websites. They are the URLs and code for domains that companies owned before they went out of business, or lost ownership for some other reason. In the free-for-all spirit of the digital ecosystem, such domains are brought to market and sold to the highest bidder. The new owners can then repurpose the existing website’s infrastructure to deliver whatever kind of content they
choose. In this case, that content was more undesired third-party code.

If you are asking why abandoned domains are allowed to exist at all, you are not alone. The existence of abandoned domains is evidence enough that the digital ecosystem is dangerously unregulated. The practice of repurposing a previously owned website into whatever the highest bidder wants is an area that needs attention from policymakers. The same can be said for the markets for abandoned domains, and their monetization. These markets ought not exist in the first place and they certainly should not be profitable. Still, those who organize the market process stand to gain from the buying and selling of abandoned domains, as do those who use them to spread content like phishing attacks and tracking software. That points to the unintended consequences of the current internet architecture– for a price, threat actors can use other peoples’ now-unowned online infrastructure to make money, attack internet users, and spread misinformation. Worse still, this particular domain was serving content in the advertising space on a popular news website, meaning that a well-respected company was exposing its users to these attacks in order to maximize advertising revenue. And at the end of this trail stands the unaware user, reading the daily column on their favorite news outlet’s website. Little do they know that the online advertising revenue model has placed them in a vulnerable position to malicious actors. All it takes for that risk to be realized is one wrong click.