Privnote, a legitimate encrypted online message service, has been the subject of a year-long phishing scam. Privnote allows users to create encrypted messages which will self-destruct automatically upon reading. Cyber-criminals registered a similar domain, Privnotes[.]com, which was used to target Privnote users. The site hosted at Privnotes[.]com was created to be extremely similar to Privnote in every way, including the appearance and operation of the site. It appears that criminals were using the fake website at the typosquatting domain to steal bitcoins from users who were fooled into thinking they were actually using Privnote. The fraudulent site was designed to identify any message which contained a bitcoin address and alter the message to contain the criminal’s bitcoin address instead. The website even contained a failsafe to avoid detection by checking the IP address of both the message sender and receiver to ensure that they did not match. According to members of Privnote’s staff, the main difference between Privnote and Privnotes was that Privnotes does not actually encrypt the messages fully, allowing them to read and modify the messages being sent by their victims. The criminals who operated the fake site even went to the lengths of paying for a Google AdWords advertisement to direct visitors to the fake site when searching for “Privnotes” on Google, with the link to the fake site appearing at the top of the search results.
Analyst Note: Typosquatting is a common technique used in many criminal schemes, especially phishing attacks. Criminals will register a domain that is extremely similar to the domain of the online service that they are attempting to impersonate. These similar domains are typically made with one or two small differences which are intended to go unnoticed by their victims. These changes can include doubling certain letters, changing double letters to singles, replacing characters with similar-looking letters and numbers, changing the domain between .com, .net, .org, etc., or even swapping the decimal from before the c in .com to after and registering the domain in Oman whose domain is .om. Typosquatting not only affects the victims who are directly targeted with the fraudulent domain but also the organization which is impersonated. Many organizations who find themselves the target of typosquatting attack can suffer from the decreased trust created from the negative publicity resulting from such attacks. Utilizing a domain monitoring service, or security service such as the Binary Defense Counterintelligence service which offers domain monitoring is an important step in protecting both organizations and their customers from typosquatting attacks. More information on this incident can be found at https://krebsonsecurity.com/2020/06/privnotes-com-is-phishing-bitcoin-from-users-of-private-messaging-service-privnote-com/