A massive typosquatting campaign using various fraudulent domains to infect unsuspecting users' Windows and Android devices with malware has recently been found.
Typosquatting, also known as URL hijacking, is a form of cyberattack wherein threat actors trick unsuspecting users into visiting a fraudulent website by registering a domain name similar to the ones used by genuine brands. Typically, users end up on these malicious websites when they mistype the domain of the website they want to visit. They can also be lured to these websites via phishing emails, SMS messages, direct messages, and malicious social media and forum posts.
In the typosquatting campaign recently discovered by BleepingComputer, the domains used by the cybercriminals feature a single letter swap or an additional character, making them look genuine. Their websites also look very similar to the authentic ones, making it difficult for users to see that they are on a fraudulent site.
Crafty fraudulent domains
Some of the malicious domains imitated popular Android app stores such as Google Play, APKCombo, and APKPure, as well as download portals for PayPal, Snapchat, VidMate, and TikTok. For instance, the cybercriminals used "paltpal-apk[.]com" for PayPal's Android app download link, and "tlktok-apk[.]link" for TikTok. Downloading files from these links will infect an Android device with a banking trojan.
However, the typosquatting campaign was also found distributing Windows-based malware. According to BleepingComputer, there are over 90 websites designed to impersonate over twenty-seven popular brands. Not only do these websites infect devices with malware, but they also steal cryptocurrency recovery keys.
One notable example is the domain for Visual Studio Code. The fraudulent website uses the domain "codevisualstudio[.]org," which is very similar to the authentic "code.visualstudio.com" domain. If a visitor downloads the fake software in the page, their device will be infected with a spyware program.
Another is "ethersmine[.]com", a fake version of the "ethersmine.org" domain. If a user connects their Ethereum wallet on the former, cybercriminals can easily steal their wallet information.
To mitigate the risk of falling for typosquatting attacks, always be mindful when typing a website in your web browser’s address bar. Use antivirus software as well to check if a website is safe to visit and prevent the page from downloading malicious code. Finally, use two-factor authentication to ensure that even if a threat actor acquires your username and password, they will still not be able to access your account.