This typosquatting campaign is using over 200 domains to compromise Windows and Android users
>
A huge malware (opens in new tab) distribution campaign has been detected using more than 200 malicious domains and masquerading as more than two dozen global brands to spread all kinds of malware for both Android (opens in new tab) and Windows operating systems.
Cybersecurity researchers at Cyble first saw the campaign to spread various malware among Android users.
In the campaign, the unknown threat actors have set up numerous domains that appear almost identical to real domains of major brands such as PayPal, SnapChat, TikTok and others. The domains have only one character that is different, missing or extra.
Android and Windows users attacked
This type of fraud is commonly referred to as “typosquatting” and is used in all sorts of attacks, for example on GitHub, where attackers create repositories with names nearly identical to legitimate repositories to distribute malware.
BleepingComputer then expanded on this research to find numerous other domains that distribute malware to Windows users as well. The exact advertising method for these domains is unknown, but the publication suggests that it is either the victims themselves who mistype the domains on their devices, or threat actors engage in phishing and other forms of social engineering. However, we must not forget about SEO poisoning.
It was also found that the threat actors were using this large typosquatting campaign to deliver all kinds of malware. In some cases they distributed the Vidar Stealer, and in others – Agent Tesla. Vidar is capable of stealing banking information, saved passwords, browsing history, IP addresses, cryptocurrency wallet details and, in some cases, MFA information as well. Agent Tesla, first discovered about eight years ago, is able to steal credentials from many popular apps, including web browsers, VPN software, and FTP and email clients.
The researchers believe that the threat actors are currently experimenting with different malware variants until they see what works best. In addition to malware, the researchers also found the ether mine[.]com website trying to steal seed phrases for people’s Ethereum wallets.
Through: BleepingComputer (opens in new tab)