Bleeping Computer spotted a humongous campaign using hundreds of typosquatting domains to propagate Windows and Android malware.
Typosquatting is a very popular technique used by cybercriminals to lure users into visiting a fake website by registering a domain that impersonates a legit brand.
Diving into details
- The campaign leverages 200 typosquatting domains to impersonate at least 27 brands.
- The domains look very similar to the legitimate ones only featuring a single letter swap or an additional ‘s’.
- While targets usually end up on those sites by mistyping, they can also be tricked via phishing messages, SMS, and malicious social media posts.
How the Android campaign work?
- The Android malware campaign was discovered by Cyble, which was found delivering the ERMAC banking trojan.
- The typosquat domains masqueraded as popular Android apps, including Google Play, APKPure, and APKCombo, along with download portals, such as TikTok, PayPal, VidMate, and Snapchat.
- The latest version of ERMAC is capable of targeting 467 applications.
What’s happening in Windows campaign?
- The Windows malware campaign has 90 domains that mimic over 27 brands, including TikTok, VidMate, Microsoft Visual Studio, and MetaMask, among others.
- One of the most popular typosquat domains is the Notepad++ text editor. The files from this site download the Vidar info-stealer.
- Another domain mimics the Tor project, which later downloads Agent Tesla RAT.
Why this matters
The sheer number of malware delivered signifies that the attackers are experimenting with multiple malware variants to see what works best. Furthermore, a lot of the malware targets cryptocurrency wallets and seed phrases, which has become a lucrative activity among threat actors.
The bottom line
The best way to save yourself from becoming a victim of typosquat domains is to look for a legitimate site for brands and make sure not to mistype. Moreover, check twice before clicking on ad results displayed during the search as hackers could also promote fraudulent websites via SEO poisoning techniques.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5dc9_shutterstock_2130044327.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2ff9_shutterstock_2061653135.jpg)
