Hackers are using the age-old technique of typosquatting to trick Internet users into impersonating many brands through malicious app stores and download portals.
Are you familiar with typosquatting, or typosquatting ? Hackers are carrying out a campaign described as ” massive using several dozen domains through which they manage to spoof a total of 27 often very popular brands to trick users into downloading malware, both on Windows and Android.
A technique based on small typing errors
Typosquatting is not a technique as old as computers, but almost. It is also a kind of social engineering attack, in that it tricks Internet users into incorrectly typing a URL directly into their browser bar. In other words, you are not risking much if you are looking for a site via a search engine.
However, it can happen, inadvertently and perhaps more easily on mobile, that you type, for example, “amazone. fr” instead of “amazon.fr” in your address bar (to be distinguished from the search box). Or that you spell “lequipe.fr” “lepique. Fr “. While these are just crude-looking examples based on swapping a letter or character, be aware that these URL hijacks are common.
So what happens once you hit your “Enter” key/bar/button? If by bad luck you come across the site that you thought was legitimate, you may then come across a malicious site that imitates the original site sufficiently well, which will not alert you since you are not aware of having typed the wrong name in the address bar.
Typosquatting plays on small subtleties, then tricks users into downloading malware
This is how the company Cyble, whose report was relayed by BleepingComputer, delivered the list of domains imitating Android application stores such as Google Play, APKpure, APKCombo but also download portals redirecting Internet users and mobile users to malicious versions of PayPal, Snapchat, TIC Tac or VidMate. A total of 27 brands have so far been impersonated by cybercriminals. TikTok, Google Wallet, Microsoft Visual Studio, NinjaTrader and Brave and Tor browsers are among those we could mention. 90 sites have been specially created by hackers to try to trick victims.
By tricking users into downloading APK files, hackers trick them into downloading various malware like ERMAC, a banking Trojan that can take over banking services and institutions around the world. In the case of this campaign, they are targeting the bank accounts and cryptocurrency wallets of multiple apps.
These impersonated sites and services trick users into downloading Windows or Android malware, in an attempt to steal cryptocurrency recovery keys, among other things. The domain “notepads-plus-plus. org” is for example used to deceive users wanting to go to the official site of the text editor, “notepad-plus-plus.org” (you will have noticed the small subtlety between the two domain names), justifying the perfect definition of typosquatting. This allows the installation of the information-stealing malware Vidar Stealer, then inflated to 700 MB, in order to escape analysis.
So be very careful when typing a URL from your browser’s address bar. Especially since many URLs would bypass the detection of certain browsers that are supposed to include protection against this typosquatting technique, such as Google Chrome and Microsoft Edge.
Source : BleepingComputer
5