Researchers at Cyble and Bleeping Computer recently detailed an ongoing massive typosquatting campaign targeting several well known, reputed web sites. Typosquatting refers to the strategy of creating a website domain that is very close to the original, with a few letters added or subtracted or reversed, in an attempt to create a malicious website with a fake domain that will not be noticed to be illegitimate by the prospective victim. Links to those malicious web sites are then used in phishing emails and other social engineering attacks, as well as within advertisements on reputed sites. Users often arrive at these sites via misspelling a common name in a browser’s URL bar, particularly when on mobile devices. The current campaign uses domain names very close to the original with an “s” added or a single letter substituted in an attempt to avoid user scrutiny. The malicious web sites appear to be close copies of the original reputable website with the same images and formatting. Some of these websites attempt to gather credentials for later exploitation. Others provide download portals for phone apps like PayPal, VidMate, Snapchat, and TikTok. A third group mimics popular Android app stores such as GooglePlay, APKCombo, and APKPure.
For example, the following sites attempted to provide fake apps with a payload of ERMC, a banking trojan targeting online bank accounts and cryptocurrency wallets:
payce-google[.]com – impersonates Google Wallet
snanpckat-apk[.]com – impersonates Snapchat
vidmates-app[.]com – impersonates VidMate
paltpal-apk[.]com – impersonates PayPal
m-apkpures[.]com – impersonates APKPure
tlktok-apk[.]link – impersonates download portal for TikTok app
thundersbird[.]org – Impersonates the popular Thunderbird open-source email suite, dropping Vidar Stealer
codevisualstudio[.]org – Impersonates Microsoft’s Visual Studio Code to drop Vidar
braves-browsers[.]org – Impersonates the Brave web browser to drop Vidar
Other sites identified by Bleeping Computer researchers include:
|Mobile Apps & Services||TikTok|
|Software||Microsoft Visual Studio|
|Crypto and Stock trading||Trading View|
It is recommended that organizations focus on cybersecurity awareness training for its personnel as one security control to avoid typosquatting attacks. Users should only navigate to trusted sites from their own links or by identifying a reputable site from a search engine. In addition, users should be aware that they cannot trust links in advertisements or in email from untrusted parties. Due to the proliferation of Business Email Compromise (BEC), users should also be cautious of unusual messages from a trusted counterparts, partners, or internal personnel. Email security solutions and web browsing proxies can be configured to block close but not exact approximations of reputable sites as a technical control, as well.