Attackers Spread Typosquatting Scams

data security

Scammers are widely using fake domain names that resemble legitimate domains to collect sensitive data

Typosquatting is a widespread problem on the web, as scammers register domains similar to popular websites to trick users who accidentally mistype a domain name. Several recent web security studies suggest that Internet users need to be more careful about their typing to avoid web scams and getting compromised by malicious sites.

Researchers at the security consultancy Godai Group set up domain names that were variations of legitimate websites belonging to Fortune 500 companies. Over the course of six months, the researchers collected more than 120,000 individual emails containing trade secrets, business invoices, employee personal identification information, network diagrams, usernames and passwords, the researchers said in a report released on 6 September.

Doppelganger sites

The domains used in the research were not misspelled, but were missing the “dot” between the subdomain and the domain in the address. For example, Yahoo uses “mail.yahoo.com” for its mail service. A doppelganger domain would be “mailyahoo.com”.

The attacker would purchase the doppelganger domain and configure an email server as a catch-all account to receive all messages to that domain, regardless of the username that the message is addressed to. People often mistype email addresses when sending out messages, and attackers rely on this natural human error to collect sensitive information, the researchers wrote.

“Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination,” the authors wrote in the report.

About 30 percent, or 151, of the Fortune 500 companies the researchers analysed were susceptible to this kind of man-in-the-mailbox attack, the report said. Researchers Peter Kim and Garrett Gee recommended that organisations buy doppelganger domains as a preventive measure against these kinds of attacks.

In fact, researchers discovered that some of the largest companies already had doppelganger domains registered to locations in China and to domains “associated with malware and phishing”. Some examples included Cisco, Dell and Yahoo.

Fake sites

“If in six months we were able to collect 20 gigabytes of data, imagine what a malicious attacker could gain,” the researchers wrote.

In another example of typosquatting, M86 Security researchers found domains with URLs like YoutTube.com (an extra “t”) redirect unsuspecting users to an online survey site, such as videorewardsonline.com, Rodel Mendrez, a researcher at M86 Security, wrote on the company blog on 8 September. The survey site looks like a YouTube site, with similar fonts and logos. There has been a “rapid spike in traffic” to the survey site recently, most likely as a result of traffic from typosquatted domains, Mendrez speculated.

The malicious site uses IP address geolocation to create localised versions for users and requires users to participate by entering an email address and mobile phone number, Mendrez said. The main purpose of the survey is to get people to subscribe to an auto-renewing prime-rate SMS subscription service, he found.

File extension switcharoo

Similarly, researchers at Avast Software found that scammers are disguising malicious files by changing file extensions to look innocuous. The “Unitix” technique changes malicious Windows executable files (.exe) into benign graphic images or Word documents by means of a hidden Unicode entry, Avast said.

Unicode is an industry standard in how text is represented using alphanumeric codes and can be used to display languages not based on the Roman alphabet. It can also be used for scripts that go right to left, such as Arabic and Hebrew.

Scammers use a specific Unicode to force the system to read the filename from right to left, Avast said. For example, the hidden code could be used to disguise a malicious file “gpj.exe” to be part of a photo file that ends with “exe.jpg.” It looks like a photo file because of the .jpg extension, but when it’s accessed, the computer sees the Unicode and reads it in reverse, running the file as an executable instead, Avast said.