Skip to content(if available)orjump to list(if available)

Ask HN: Why buy domains and 301 redirect them to me?

Ask HN: Why buy domains and 301 redirect them to me?

134 comments

·January 24, 2025

Say I'm running a SaaS product, example.com.

Somebody has bought several domains like getexample.com, buyexample.io, joinexample.net, and is 301 redirecting them to example.com.

What's their play here? Is this setup for a phishing attack in the future? Are they just going to try and sell the domains to me in the future? Not encountered behaviour like this before (or at least, I don't know if this is the beginning phase of a common scam)

Visit

TrueDuality

As others have mentioned this is likely one of a couple of scenarios, roughly ordered by my guess on likelihood:

- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.

- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.

- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.

- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.

IncreasePosts

Regarding point two, OP should connect to a VPN in Japan or somewhere he very isn't, use incognito mode, and see if the same content is served. I've seen hacked sites that are set up to serve normal content to where the attacker thinks the owner of the site lives, but serve phishing content or malware or whatever to everywhere else.

A 301 fits that bill because then the owners browser even when traveling will serve the good content

preinheimer

Our service testlocal.ly can grab screenshots for you from different countries really quickly if you want a free check.

Pikamander2

Oh hey, I've used your site before. Thanks for setting it up!

One quick point of feedback: The "Learn more about our features and pricing" button appears to be broken, at least on Chrome Android.

The click gets intercepted by the registration form somehow, like by some type of overly-broad selector targeting "form button" or similar.

Instead of being taken to the pricing page, it takes me to the next step of the form, which I don't want to fill out before seeing the pricing.

Scoundreller

Can you get Google Safe Search to do that? I feel like my reports fall on deaf ears because SMS spammer's URLs would only serve 'bad' pages to $MyCountry (and nowadays do it behind a captcha, fuck you hcaptcha).

jasongill

I have seen attacks where directly visiting the site doesn't show anything out of the ordinary, but visits coming from Google (referer) show different content. Have also seen ones where only User-Agent: Googlebot would see the modified version of the site.

(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)

bluesix

Yes, this is how most Wordpress malware works - they inject/publish ad or keyword spam content on the site if the user agent is googlebot. Regular users don't get the ads. It's partially why most people never realise their site has been hacked.

AutistiCoder

Doesn't Google have countermeasures against this?

nneonneo

Or, try a mobile user-agent. I've seen loads of phishing pages that will only serve their malicious payloads to phones - this is especially common with the scams that are sent via SMS.

TrueDuality

Yeah this is a good call-out. If the site is being used for drive-by or targeted malware there are other checks that may be happening alongside the redirect such as user agent, country of origin (like you mentioned), plugins installed, OS, or even time of day.

If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.

SlightlyLeftPad

Just a note 301s are super sticky and browsers cache them even across incognito modes. Your best bet is to use a new browser after reconnecting to avoid false results.

saalweachter

Try curling the urls with a referrer of Google.

There's a related site compromise where a hacked webserver behaves normally except, when the referrer is google.com, it adds a JavaScript redirect to the end of any page.

You go to example.com, everything looks normal. You click a link to example.com, you end up on a page selling herbal dick pills. Site owner yells at Google thinking it's their fault. Googlebot never gets served the redirect.

You should be able to do the same thing with 301 redirects.

meigwilym

I think the first one is pretty likely.

OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.

timewizard

I would expect the certificate mismatch to prevent this.

maltelandwehr

The certificate mismatch does not play any role in this SEO tactic. It just is not a factor.

dccoolgai

It could be a combo of 1 and 3: a competitor (or someone who thinks they might be in the future) ages those domains, then points it to their own product later.

TrueDuality

This is another great call-out and semi-common. I can definitely get blinded by my security focus but shady business tactics drive a lot of these similar domain purchases for exactly the reason you described.

HenryBemis

Bait and switch? Get users t bookmark the joinexample.com, and the others, and once they notice that people keep going to your side via their domain names, they will switch, make a fake "change password" and will be ripped off.

xg15

Just speculating here, but would it be possible that the redirecting domains could actually overtake the original site in terms of search rank, etc? If yes, this could be preparation for a semi-targeted phishing campaign:

1) set up plausibly-named fake domains that redirect to example.com

2) ensure that the fake domains rank higher than the original domain for "example" searches.

3) after a while, people have gotten used to accessing the service through the fake domains or might even think those are the official domains.

4) pull up the net by replacing the redirect with phishing pages. Suddenly, everyone googling for the service will end up on a phishing site, without any obvious way to fix the situation.

Phishers could also run this scheme for lots of sites in parallel, without needing to have some specific interest in any of them.

Edit: Seems like the semantics of the 301 redirect should prevent this from working though.

naveensky

one another scenario is that if you open the domain from browser, they will do 301 redirect, but for traffic coming from Google/search engine, they will show their actual content.

maltelandwehr

If this is done with SEO in mind, at first they will also do a redirect for Google Bot.

Then they build links to their domains. Once it has more backlinks than the real domain, the redirect is removed.

tracker1

I'd add canonical link elements to your html and http headers in order to reduce the chances of subversion somehow. The whole thing feels really weird to me.

welder

I'll add another scenario I've personally experienced:

- Reaching out in good-faith with an offer to sell the domain to you. I've had that happen in the past and before receiving the email the person directed the domain to my official website to show good will. I purchased the domain and now own it.

Not saying this is the case here, but just wanted to throw a legitimate scenario into the mix. They should have reached out by now if this was the case.

ardillamorris

Their play is to send emails with those domains but in the emails claiming to be you and when people reading the email go to the domain, they see your page (they got redirected).

ElijahLynn

This sounds like the most plausible hypothesis.

motoxpro

Wow. Yeah that's genius. It would definitely catch me as I just visit the domain to see if it's legit and don't think about redirects. e.g. gogle.com -> google.com

pinoy420

Nothing new. I used to create fake, for example, myspace login pages, host them somewhere, harvest the credentials then redirect back to myspace.com login

wifipunk

I used to do that too!! I wasn't malicious enough to do anything with them so I would just login to random accounts and poke around and occasionally show my friends by logging into the accounts of people we knew.

phoe-krk

They'll weaponize them at some point. How exactly is to be seen, but if people associate your product with domains you do not control (e.g. via SEO searches and hyperlinks left in public places), then everyone is on the hook the moment these domains stop redirecting to your service.

eastbound

Yes, they can send legit-looking email with getexample.com, then people will accept those emails as trusted, such as lifecycle emails.

Then they send an invoice…

bhouston

I haven't seen this before but back in the early 2010s I had some India-based group that iframed our SaaS website under a new domain. I caught it early and implemented this fix: https://stackoverflow.com/questions/2896623/how-to-prevent-m...

I think this was a common attack vector around then, but is no longer common.

AbstractH24

Seeing Google’s Picasa mentioned in an answer on that stackoverflow was a real throwback

Beijinger

Stupid question:

Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....

mr-wendel

I'm sure I don't really have to point this out, but...

The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.

Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.

IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.

d4mi3n

Pretty sure content-securty-policy headers can prevent this type of attack these days for browsers that support them. Check out the frame-ancestors CSP directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

sgerenser

Consider rerouting to a picture of an egg in an soft-boiled egg cup with an uncanny resemblance to male anatomy.

Rauchg

It’s possible `/` redirects but other hidden routes phish. If someone gets e.g.: a fake password reset email, it might help the attacker bypass sanity checks users make.

ActionHank

Also helps create phishing report "false" flags.

If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.

ag_hn

Just had a look - it appears you’ve got nine .com domains registered with your brand name in the same second on GoDaddy: explore/get/join/meet/my/team/the/tryEXAMPLE.com and EXAMPLEconnect.com.

The Cloudflare redirect likely has GoDaddy underneath, based on what’s visible at myEXAMPLE.com/lander and others.

Half of the domains are set for Outlook Mail, the other for Google Mail which points to a potential email game.

It doesn’t make things safer that your brand name is a top-400 frequency word in one of the European languages. Not owning your .com and having a dozen businesses with similar names just compounds the risk.

What to do really depends on the specifics of your case, including trademark and competition factors. If you’re stuck, feel free to ping me at aghackernews [at] gmail.

lynndotpy

Another possibility: Does your example.com point to something with an ideological or humanitarian goal?

There was a humanitarian charity I've donated to, and I saw people erroneously linking to the wrong URLs when spreading news of it. (Say, `foobar.org` and `boofar.com` when the charity is at `boofar.org`.)

So, I just bought the URLs and had them redirect to the correct URL, before a bad actor could snap them up.

djsamseng

Check if your site has any manual actions against it. https://support.google.com/webmasters/answer/9044175?sjid=11....

They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en

antithesis-nl

Phishing. Regular visits to these domains will 301 redirect them to you, but there's at least one URL that will instead be handled by the scammers themselves.

They'll then send out an email campaign with a From: address in the counterfeit domain (which will have valid SPF/DKIM/whatever), a subject like "Example.com: You've been invited to join a project!", quickly-come-see-this-secret-stuff body copy, and a call-to-action button linked to that URL.

The page hosted on the URL will have your branding and everything, and collect a bunch of personal information and/or access credentials for the scammers.

Taking down this stuff is tedious, but you can try -- least you can do for now is display a prominent 'this is not an authorized example.com domain' warning for inbound visits from these redirects, create a public Knowledge Base-like article warning about this abuse as well (making very clear this has nothing to do with you), and block the domains involved on your inbound mail server.

Silver lining: apparently your SaaS is successful enough to be used as a lure for scammers. Congrats?

kbolino

You cannot detect the redirect, so you cannot display any such warning.

BehindTheMath

Can't you check the Referer?

kbolino

No: https://news.ycombinator.com/item?id=42817750

bongodongobob

I did this for a fraudulent health product. They had .org but not .com. Registered .com and redirected it. Waited for SEO to pick up on it. Created the page calling it out as fraud. Created some social media accounts and put the .com in the about info. Started commenting on their posts, anyone that looked at the fake profiles would find my page with info on why it was fraudulent.

pcbmaker20

I think you can check the HTTP_REFERER header and block the redirect using your back-end code, like PHP or Node or Python, not sure what tech stack you are using.

sgc

The right play might be to have a custom landing page or header / popup on your site indicating that they were referred by a fraudulent domain, and to please bookmark your proper domain / report if this was via an email link. The traffic might be good, just coming in through a bad actor.

gwbas1c

No, just redirect back to HTTP_REFERER. Why?

The user's browser will display a redirect loop error; and most importantly, they won't see your domain.

It keeps your name out of it and makes the email domain look even more fishy.

sgc

If somebody is using your website to phish, it almost certainly means they are targeting people who legitimately want your services. It is an executive decision, but I personally would let people know, and take the free advertising.

kbolino

Redirecting back to the referer will not create a redirect loop. The referer is the URL of the site that linked to the redirect, not the redirect itself. The redirect does not alter the referer in any way. In many cases, there will be no referer at all.

I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.

colechristensen

You can do the same with a load balancer or reverse proxy like nginx, and I’d generally prefer do to so at that layer.

Ayesh

If I was running the sites 301 redirect from, I'd be setting a referrer policy to prevent the browser from sending the referrer header.

kbolino

The referer is the site that sent the user to the redirect, not the redirect itself. You cannot detect 301s from the destination only.

napsterbr

Whatever their play, detect and drop the redirects. Good job on noticing it early on!

kbolino

You cannot detect a 301 redirect when you're only in control of the destination.

eastbound

Not through the referrer?

kbolino

If you navigate straight to bad-domain.com which redirects to good-domain.com, there will be no referer at all.

If you click a link on red-herring.com which points to bad-domain.com, which then redirects to good-domain.com, the referer will be red-herring.com (if not disabled entirely).

HTTP redirects have no effect on the referer.

HughParry

Presumably just throwing a 403 if they have this referrer is ok and won't have a weird SEO impact or something?

jsheard

Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect?

HughParry

Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...

RajBhai

Sounds like a security flaw that browsers honor this.

thiago_fm

No, and the earlier you do the better.

Later it might have