Massive Typosquatting Campaign Uses over 200 Fake Domains
The Domains Spread Windows and Android Malware.
An ongoing campaign tricks users to download several Windows and Android malware from typosquatting domains.
The massive malicious campaign is using over two hundred fake websites that mimic twenty-seven well-known brands to spread information-stealing malware, banking trojans, keylogger, and others.
What Is Typosquatting
Typosquatting is done by registering a domain name that resembles the one used by a legit brand to lure visitors to the fake site and to spread malware.
The malicious websites from this typosquat campaign look almost like the original sites, and the domain names differ only by a letter from the real ones. The threat actors created multiple variants of each domain and although Google Chrome and Microsoft Edge include typosquatting protection, these sites haven’t been blocked.
Users reach these sites by mistyping the website name in the browser, or via phishing messages, malicious social media and forum posts, and other ways.
Which Sites Have Typosquat Copies
Last week several fake sites delivering ERMAC banking trojan have been discovered. According to Cyble, the typosquatting domains are mimicking popular Android app stores like Google Play, APKCombo, and APKPure, and download portals for PayPal, VidMate, Snapchat, and TikTok.
Some of the fake websites are:
- payce-google[.]com – impersonates Google Wallet
- snanpckat-apk[.]com – impersonates Snapchat
- vidmates-app[.]com – impersonates VidMate
- paltpal-apk[.]com – impersonates PayPal
- m-apkpures[.]com – impersonates APKPure
- tlktok-apk[.]link – impersonates download portal for TikTok app
Besides these, over 90 typosquatting websites are distributing Windows malware, according to BleepingComputer. The domains impersonate over twenty-seven popular brands from areas like:
- Mobile Apps & Services: TikTok, Vidmate, SnapChat, Paypal, APK Pure, APKCombo, Google Wallet
- Software: Microsoft Visual Studio, Brave Browser, ThunderBird, Notepad+, Tor Browser
- Cryptocurrency: TronLink, MetaMask, Phantom, Cosmos Wallet, Mintable, Ethermine, GenoPets
- Crypto and Stock trading: Trading View, IQ Option, NinjaTrader, Tiger.Trade
- Others: Figma, Quatro Casinos, Big Time, CS:Money
For example, “notepads-plus-plus[.]org”, is the typosquat site for Notepad++ text editor, which differs only by one letter from the authentic one at “notepad-plus-plus.org”. This domain spreads the Vidar Stealer information-stealing malware.
Another site impersonates the Tor Project using the “tocproject.com” domain. In this case, the website drops the Agent Tesla keylogger and RAT.
The diversity of malware families delivered could suggest that hackers are testing various strains to see what is best suited.
To stay safe from typosquatting domains is best to search for a particular brand in a search engine and to avoid ads from the search results, as malicious ads can be created to impersonate a legit website.