News, 24.10.2022, 11:00 AM
BleepingComputer has warned of a massive “typosquatting” campaign using over 200 domains masquerading as the sites of 27 brands, where visitors download various Windows and Android malware.
“Typosquatting” is an old scam method that aims to lure people to a fake website by having scammers register a domain name similar to the one used by the real brand.
The domains used in this campaign are very similar to the real ones, with one letter substituted or an additional letter. In addition, fake websites are copies of the original or at least convincing enough that there is little to alert potential victims that they are in the wrong place.
Victims usually end up on these sites by wrongly typing the name of the website they want to visit into the browser’s address bar, which is not uncommon when typing on a mobile phone.
However, users can also be led to these sites through phishing emails or SMS, direct messages, posts on social networks and forums, and other means.
Some of the malicious sites were discovered by cybersecurity firm Cyble, which spotted domains impersonating popular Android app stores such as Google Play, APKCombo, and APKPure, as well as app download portals PayPal, VidMate, Snapchat, and TikTok. Payce-google[.]com impersonates Google Wallet, snanpckat-apk[.]com mimics Snapchat, vidmates-app[.]com imitira VidMate, paltpal-apk[.]com PayPal, m-apkpures[.]com mimics APKPure and tlktok-apk[.]link portal to download the TikTok application.
In all these cases, the malware delivered to users trying to download APKs is ERMACa banking trojan that targets bank accounts and cryptocurrency wallets from 467 apps.
BleepingComputer discovered a much larger “typosquatting” campaign by the same operators, which distributes Windows malware. This campaign uses more than 90 websites that impersonate the sites of more than 27 popular brands, and the goals of this campaign are to infect Windows users’ devices with malware, steal cryptocurrency recovery keys, and distribute Android malware.
One of the fake sites was presented as the site of the very popular text editor Notepad++. This fake site uses the domain “notepads-plus-plus[.]org”, which has only one more “s” than the authentic site “notepad-plus-plus.org”. Files that users download from this site install the Vidar Stealer information-stealing malware.
BleepingComputer has also spotted a fake Tor Project site using the domain “tocproject.com”. In this case, the website infects visitors’ devices with Agent Tesla keylogger and RAT.
Some of the very popular software used in this campaign as decoy sites are: thundersbird[.]org (Thunderbird), codevisualstudio[.]org that impersonates Microsoft’s Visual Studio Code site, braves-browsers[.]org (Brave web browser). All three sites infect visitors’ computers with Vidar Stealer malware.
The variety of malware delivered to victims may indicate that campaign operators are experimenting with different malware to see what works best.
Some of these sites also target cryptocurrency wallets.
Browsers such as Google Chrome and Microsoft Edge have typosquatting protection. However, in these cases they did not block any of the domains.
To protect yourself from such attacks, the best way to find a legitimate site is to search for a specific brand in the search engine. Avoid ads displayed in search results, as there have been many cases where ads have led people to fake websites.