More than 200 typosquatting domains have been recently identified, imitating 27 different brands to lure victims and trick them into downloading malware on their devices. The investigation of the identified campaign shows that the malicious sites are convincing in appearance; thus, the operators are likely successful in victimising people.
In a typosquatting campaign, the hackers register domains almost similar to the real ones they are imitating. Mostly, these malicious domains only differ with a single letter or character that victims would probably overlook, which makes the campaigns effective. Experts stated that the victims could be directed to these malicious sites through typographical errors in typing URLs or phishing messages from emails, texts, and social media.
Some popular brands mimicked by the typosquatting domains include Google Play, TikTok, Snapchat, PayPal, MS Visual Studio Code, Thunderbird email suite, and Brave browser.
The researchers also added that the malware pushed by this malicious campaign is the ERMAC Android malware, which steals banking accounts and cryptocurrency wallets from over 400 applications. Aside from the delivery of the ERMAC malware, the experts shared that the typosquatting domains also distribute a yet unknown Windows malware to steal crypto recovery keys.
One of the imitated sites is the “Notepad++” text editor app, in which the malicious operators used a similar typosquatting domain with only one letter difference from the legitimate one. Once a victim installs the file from the site, the Vidar Stealer malware will be injected into their computers.
Using different malware strains in these campaigns indicates that the hackers determine which would work best to give them more profit. The phishing operators are focused on accessing the victims’ machines to steal their cryptocurrency assets and financial information, which tends to be the easiest way for them to earn massive amounts of money.
The researchers also believe that their recent findings only cover a portion of the entire typosquatting domains registered by the threat actors in the threat landscape. Furthermore, although many popular browsers like Google Chrome and MS Edge have typosquatting protection features, the tested malicious domains in the investigation were not blocked.
Researchers advise users not to rely on search engines’ advertisement results since most hackers leverage the feature to rank their malware-infested websites.
