New Threat Research: The Client/Server Relationship — A Match Made In Heaven 

Read Threat Research


Typosquatting Campaign Impersonates Brand-Name Websites

Researchers at Cyble and Bleeping Computer recently detailed an ongoing massive typosquatting campaign targeting several well known, reputed web sites. Typosquatting refers to the strategy of creating a website domain that is very close to the original, with a few letters added or subtracted or reversed, in an attempt to create a malicious website with a fake domain that will not be noticed to be illegitimate by the prospective victim. Links to those malicious web sites are then used in phishing emails and other social engineering attacks, as well as within advertisements on reputed sites. Users often arrive at these sites via misspelling a common name in a browser’s URL bar, particularly when on mobile devices. The current campaign uses domain names very close to the original with an “s” added or a single letter substituted in an attempt to avoid user scrutiny. The malicious web sites appear to be close copies of the original reputable website with the same images and formatting. Some of these websites attempt to gather credentials for later exploitation. Others provide download portals for phone apps like PayPal, VidMate, Snapchat, and TikTok. A third group mimics popular Android app stores such as GooglePlay, APKCombo, and APKPure.

For example, the following sites attempted to provide fake apps with a payload of ERMC, a banking trojan targeting online bank accounts and cryptocurrency wallets:
payce-google[.]com – impersonates Google Wallet

snanpckat-apk[.]com – impersonates Snapchat

vidmates-app[.]com – impersonates VidMate

paltpal-apk[.]com – impersonates PayPal

m-apkpures[.]com – impersonates APKPure

tlktok-apk[.]link – impersonates download portal for TikTok app

thundersbird[.]org – Impersonates the popular Thunderbird open-source email suite, dropping Vidar Stealer

codevisualstudio[.]org – Impersonates Microsoft’s Visual Studio Code to drop Vidar

braves-browsers[.]org – Impersonates the Brave web browser to drop Vidar

Other sites identified by Bleeping Computer researchers include:

CategoryImpersonated Brands
Mobile Apps & ServicesTikTok
APK Pure
Google Wallet
SoftwareMicrosoft Visual Studio
Brave Browser
Tor Browser
Cosmos Wallet
Crypto and Stock tradingTrading View
IQ Option
Web sitesFigma
Quatro Casinos
Big Time

Analyst Notes

It is recommended that organizations focus on cybersecurity awareness training for its personnel as one security control to avoid typosquatting attacks. Users should only navigate to trusted sites from their own links or by identifying a reputable site from a search engine. In addition, users should be aware that they cannot trust links in advertisements or in email from untrusted parties. Due to the proliferation of Business Email Compromise (BEC), users should also be cautious of unusual messages from a trusted counterparts, partners, or internal personnel. Email security solutions and web browsing proxies can be configured to block close but not exact approximations of reputable sites as a technical control, as well.