A large-scale phishing campaign built on typosquatting is targeting Windows and Android users with malware, according to a threat intelligence firm and cybersecurity website.
The campaign currently underway uses more than 200 typosquatting domains that impersonate 27 brands to hoodwink web surfers to download malicious software to their computers and phones, BleepingComputer reported Sunday.
Threat intelligence firm Cyble revealed the campaign last week in a blog. It reported that the phishing websites deceive visitors into downloading fake Android applications impersonating Google Wallet, PayPal, and Snapchat, which contain the ERMAC banking Trojan.
BleepingComputer explained that while Cyble focused on the campaign’s Android malware, a much larger operation aimed at Windows is being deployed by the same threat actors. That campaign has more than 90 websites crafted to push malware and steal cryptocurrency recovery keys.
Typosquatting is an old technique for redirecting cyberspace travelers to malicious websites. In this campaign, BleepingComputer explained, the domains used are very close to the originals, with a single letter swapped out of the domain or an “s” added to it.
The phishing sites look authentic, too, it added. They’re either clones of the real sites or enough of a knock-off to fool a casual visitor.
Typically, victims end up at the sites by making a typo in a URL entered on the address bar of a browser, it continued, but the URLs are also sometimes inserted in emails, SMS messages, and on social media.
“Typosquatting is not novel,” said Sherrod DeGrippo, vice president for threat research and detection at Proofpoint, an enterprise security company in Sunnyvale, Calif.
“Goggle.com was sending accidental visitors to a malicious site with drive-by malware downloads as early as 2006,” DeGrippo told TechNewsWorld.
Although the campaign uses tried-and-true phishing techniques, it has some distinguishing characteristics; security experts told TechNewsWorld.
“The size of this campaign is unusual, even if the technique is old-school,” observed Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, in Tel Aviv, Israel.
“This particular campaign appears to be much larger in scale than typical typosquatting attempts,” added Jerrod Piker, a competitive intelligence analyst with Deep Instinct, a deep learning cybersecurity company in New York City.
Focusing on mobile apps is another departure from the norm, noted Grayson Milbourne, security intelligence director at OpenText Security Solutions, a global threat detection and response company.
“The targeting of mobile apps and associated websites with the goal of distributing malicious Android apps is something that isn’t new but isn’t as common as typosquatting that targets Windows software websites,” he said.
What’s interesting about the campaign is its reliance on both typing mistakes made by users and the intentional delivery of malicious URLs to targets, observed Hank Schless, senior manager for security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions.
“This appears to be a well-rounded campaign with [a] high chance of success if an individual or organization doesn’t have proper security in place,” he said.
Why Typosquatting Works
Phishing campaigns that exploit typosquatting don’t need to be innovative to succeed, maintained Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“All typosquatting campaigns are fairly effective without needing advanced or new tricks,” he told TechNewsWorld. “And there are many advanced tricks, such as homoglyphic attacks, that add another layer that could fool even the experts.”
Homoglyphs are characters that resemble each other, such as the letter O and zero (0), or the uppercase I and the lowercase letter l (EL), which look identical in a sans serif font, like Calibri.
“But you don’t find a ton of these more advanced attacks out there because they don’t need them to be successful,” Grimes continued. “Why work hard when you can work easy?”
Typosquatting works because of trust, contended Abhay Bhargav, CEO of AppSecEngineer, a security training provider in Singapore.
“People are so used to seeing and reading well-known names that they think a site, app, or software package named nearly the same and with the same logo is the same as the original product,” Bhargav told TechNewsWorld.
“People don’t stop to think about the minor spelling discrepancies or the domain discrepancies that distinguish the original product from the fake,” he said.
Some Domain Registrars Blameworthy
Piker explained that it’s very easy to “fat finger” while typing a URL, so PayPal becomes PalPay.
“It would get loads of hits,” he said, “especially since typosquatting attacks generally present a web page that is essentially a clone of the original.”
“Attackers also snatch up several similar domains to ensure that many different typos will match,” he added.
The present domain registration systems don’t help matters either, Grimes asserted.
“The problem is made worse because some services let bad websites get TLS/HTTPS domain certificates, which many users believe means the website is safe and secure,” he explained. “Over 80% of malware websites have a digital certificate. It makes a mockery of the whole public key infrastructure system.”
“On top of that,” Grimes continued, “the internet domain naming system is broken, allowing obviously rogue internet domain registrars to get rich registering domains which are easy to see are going to be used in some sort of misdirection attack. The profit incentives, which reward registrars for looking the other way, are a big part of the problem.”
Mobile Browsers More Susceptible
Hardware form factors can also contribute to the problem.
“Typosquatting is far more effective on mobile devices because of how mobile operating systems are built to simplify user experience and minimize clutter on the smaller screen,” Schless explained.
“Mobile browsers and apps shorten URLs to improve their user experience, so the victim might not be able to see the full URL in the first place, much less spot a typo in it,” he continued. “People don’t usually preview a URL on mobile, which is something they might do on a computer by hovering over it.”
Typosquatting is definitely more effective for phishing on mobile phones because the URLs aren’t fully visible, agreed Szilveszter Szebeni, CISO and the co-founder of Tresorit, an email encryption-based security solutions company in Zurich.
“For running Trojans, not so much, because people usually use the app or play stores,” he told TechNewsWorld.
How To Protect Against Typosquatting
To protect themselves from becoming a victim of typosquatting phishing, Piker recommended users never follow links in SMS messages or emails from unknown senders.
He also advised taking care when typing URLs, especially on mobile devices.
DeGrippo added, “When in doubt, a user can Google the established domain name directly instead of clicking on a direct link.”
Meanwhile, Schless suggested that people be a little less trusting of their mobile devices.
“We know to install anti-malware and anti-phishing solutions on our computers, but have an inherent trust in mobile devices such that we think it’s not necessary to do the same on iOS and Android devices,” he said.
“This campaign is one of countless examples of how threat actors leverage that trust against us,” he noted, “which shows why it’s critical to have a security solution built specifically for mobile threats on your smartphone and tablet.”