There is a massive malicious campaign underway using more than 200 typographical domains impersonating twenty-seven brands to trick visitors into downloading various malware for Windows and Android.
Typosquatting is an old way of tricking people into visiting a fake website by registering a domain name similar to the one used by the original brands.
The domains used in this campaign are very close to the original domains, featuring position swaps with one letter or extra “s”, making it easy for people to miss them.
In terms of appearance, in most cases BleepingComputer sees, malicious sites are copies of the originals or at least disguised enough, so there’s not much to give up on fraud.
Victims usually end up on these sites by mistakenly typing the name of the website they want to visit in the browser’s URL bar, which is common when typing on mobile.
However, users can also be directed to these sites via phishing emails or SMS, direct messages, malicious social media, forum posts, and other methods.
A wide network of fake websites
Some of the malicious sites were discovered by cyber intelligence firm Cyble, which published a report this week focusing on domains that mimic popular Android app stores like Google Play, APKCombo and APKPure, as well as download portals for PayPal, VidMate, Snapchat and TikTok.
Some of the domains used for this purpose are:
- payce- google[.]com – impersonate a Google Wallet
- snanpckat-apk[.]com – impersonate Snapchat
- vidmates-app[.]com – impersonate VidMate
- Paltpal-apk[.]com – impersonate PayPal
- m-apkpures[.]com – impersonate APKPure
- tlktok-apk[.]Link – impersonate download portal for TikTok app
In all of these cases, the malware that is delivered to users trying to download APK files is throw youa banking trojan targeting bank accounts and cryptocurrency wallets from 467 applications.
Part of a much larger campaign
While Sybil Report BleepingComputer focused on the campaign Android malware, and found a much larger campaign of typo from the same operators, distributing Windows malware.
This campaign consists of more than 90 websites created to spoof more than 27 popular Windows malware distribution brands, steal cryptocurrency recovery keys and, as described above, push Android malware.
| category | Plagiarized brands |
| Mobile applications and services | tik tok feedats snap chat PayPal APK pure APKCombo google wallet |
| Programming | Microsoft Visual Studio Brave Browser Thunderbird notepad + Tor Browser |
| Cryptocurrency | tronlink Metamsk ghost Cosmos wallet Mentable ethermine Genoa |
| Trade cryptocurrency and stocks | Trading View IQ Option NinjaTrader Tiger |
| Websites | figma Quatro . casinos great moment CS: Money |
A notable example of one such typographic site is the very popular Notepad++ text editor. This fake website uses the domain “notepads-plus-plus[.]org”, which is only a character away from the original in “notepad-plus-plus.org”.
Files from this site install the information-stealing malware Vidar Stealer, which has been inflated to 700MB to evade analysis.
Another site discovered by BleepingComputer impersonating the Tor Project using the domain “tocproject.com”. In this case, the website drops the Tesla keylogger proxy and RAT.
Digging deeper into the long list of domains, we found several programs targeting popular software such as:
- Thunderbird[.]org – Impersonates the popular open source email group Thunderbird, drops Vidar Stealer
- codevisualstudio[.]org – impersonate Microsoft Visual Studio Code to drop Vidar
- Brave browsers[.]org – Impersonate Brave web browser to drop Vidar
The diversity in the families of malware delivered to victims may indicate that campaign operators are experimenting with different strains to see what works best.
Another part of these sites targets cryptocurrency wallets and seed gates, which is a very profitable activity for threat actors.
For example, BleepingComputer found “ethersmine[.]com”, which is trying to steal the initial gateway to the visitor’s Ethereum wallet.
Other sites in the campaign target cryptocurrency holders and digital asset investors impersonating popular crypto wallets, trading apps, and NFT sites.
Of course, threat actors use multiple variants of each domain to cover as many bugs as possible, so these domains are only a small sample of the entire network of domains used in the campaign.
Some browsers such as Google Chrome and Microsoft Edge include write protection. However, in our tests, browsers did not block any of the domains we tested.
To protect yourself from typographical ranges, the best way to find a legitimate site is to search for a specific brand in a search engine.
However, you should avoid clicking on ads displayed in search results, as has already happened many cases where Malicious ads are generated To impersonate a real website.
#Typosquat #campaign #simulates #brands #push #Windows #Android #malware