October 25, 2022


A massive phishing campaign built on typoquoting is targeting Windows and Android users with malware, according to a dangerous intelligence firm and cybersecurity website.

More than 200 typoquoting domains are currently used in an ongoing campaign that impersonates 27 brands to trick Web surfers into downloading malicious software to their computers and phones, BleepingComputer reported Sunday.

Threat intelligence firm Cyble revealed the campaign in a blog last week. It reported that phishing websites trick visitors into impersonating Google Wallet, PayPal and Snapchat to download fake Android applications that contain the ERMAC banking trojan.

BleepingComputer explained that while Cyble focused the campaign’s Android malware, a much larger operation aimed at Windows is being deployed by similar threat actors. That campaign features more than 90 websites designed to advance malware and steal cryptocurrency recovery keys.

Typosquatting is an age-old technique of redirecting cyberspace travelers to malicious websites. In this campaign, BleepingComputer explained, the domains used are too close to the original, with a letter swapped out of the domain or an “s” added to it.

It added that the phishing sites also appear to be authentic. They are either clones of real sites or enough to fool a casual visitor.

Typically, victims end up on sites by making typos in the URLs entered in the browser’s address bar, this continues, but URLs are sometimes entered in emails, SMS messages, and on social media as well.

“Typosquatting is not novel,” said Sherrod DeGripo, vice president for threat research and detection at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“ was accidentally sending visitors to a malicious site with drive-by malware downloads as early as 2006,” DeGrippo told TechNewsWorld.

abnormal scale

Although the campaign uses tried-and-tested phishing techniques, it does have some distinctive features; Security experts told TechNewsWorld.

“The size of this campaign is unusual, even though the technology is old-school,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk prevention in Tel Aviv, Israel.

“This particular operation appears to be on a larger scale than typical typosquatting efforts,” said Jarrod Picker, a competitive intelligence analyst at Deep Instinct, a deep-learning cybersecurity company in New York City.

The focus on mobile apps is another departure from the norm, said Grayson Milborn, director of security intelligence at OpenText Security Solutions, a global threat detection and response company.

“Targeting mobile apps and related websites with the goal of distributing malicious Android apps is something that is not new, but not as common as typosquatting that targets Windows software websites,” he said.

What’s interesting about the campaign is its reliance on both typing mistakes made by users and the deliberate delivery of malicious URLs to the target, observed Hank Schles, senior manager of security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions.

“It appears with a broad campaign [a] There is a high chance of success if an individual or organization does not have proper security,” he said.

Why does typosquatting work?

Phishing campaigns that exploit typoquoting don’t need to be innovative to be successful, maintained Roger Grimes, a defense campaigner at KnowBe4, a security awareness training provider in Clearwater, Fla.

“All typosquatting campaigns are quite effective without the need for advanced or new tricks,” he told TechNewsWorld. “And there are many advanced tricks, such as homoglyphic attacks, that add another layer that can fool even experts.”

Homoglyphs are letters that are similar to each other, such as the letters O and zero (0), or the uppercase I and lowercase letter l (EL), that look similar in a sans-serif font, such as Calibri.

“But you don’t find a ton of these more advanced attacks out there because they don’t need them to be successful,” Grimes continued. “Why work hard when you can work easily?”

Abhay Bhargava, CEO of AppSecEngineer, a security training provider in Singapore, said typosquatting works because of trust.

Bhargava told TechNewsWorld, “People have become so used to seeing and reading well-known names that they think a site, app or software package has almost the same name and the same logo as the original product. “

“People don’t stop to think about minor spelling discrepancies or domain discrepancies that differentiate the original product from the fake,” he said.

Some domain registrars guilty

Picker explained that it’s all too easy to “fat finger” when typing a URL, so PayPal becomes PalPay.

“It will get loads of hits,” he said, “especially since typosquatting attacks typically present a web page that is essentially a clone of the original.”

“Attackers also snatch away multiple similar domains to ensure that many different typos will match,” he said.

Grimes stressed that even the current domain registration system doesn’t help matters.

“The problem is made worse because some services allow bad websites to obtain TLS/HTTPS domain certificates, which many users believe is safe and secure,” he explained. “More than 80% of malware websites have digital certificates. It makes fun of the entire public key infrastructure system.”

“On top of that,” Grimes continued, “the Internet domain naming system is broken, apparently allowing rogue Internet domain registrars to obtain rich registration domains that are easy to see, used in some sort of misdirection attack. Profit incentives, which reward registrants for looking the other way, are a big part of the problem.

Mobile browser more responsive

Hardware form factors can also contribute to the problem.

“Typoquoting is far more effective on mobile devices because of how mobile operating systems are built to simplify the user experience and reduce clutter on small screens,” explained Schles.

“Mobile browsers and apps shorten URLs to improve their user experience, so the victim may not see the full URL in the first place, much less typos,” he continued. “People usually don’t preview URLs on mobile, which is something they can do by hovering over a computer.”

Typosquatting is certainly more effective for phishing on mobile phones because URLs aren’t fully visible, agree CISO and co-founders of Tresorit, an email encryption-based security solutions company in Zurich.

“To run Trojans, not so much because people usually use apps or the Play Store,” he told TechNewsWorld.

How to prevent typosquatting

To protect themselves from falling victim to phishing typosquatting, Picker advises users not to follow links in SMS messages or emails from unknown senders.

He also advised caution while typing URLs, especially on mobile devices.

“When in doubt, the user can directly Google the established domain name, rather than simply clicking on the link,” DeGripo said.

In the meantime, Schles suggested that people should rely on their mobile devices a little less.

“We know how to install anti-malware and anti-phishing solutions on our computers, but there is an inherent belief in mobile devices such that we feel it is not necessary to do so on iOS and Android devices,” he said.

“This campaign is one of countless examples of how threat actors leverage that trust against us,” he said, which demonstrates why it’s important to build a security solution specifically for mobile threats on your smartphone and tablet. .