- The hack attempt starts when someone makes a mistake in typing the website they want to visit.
- A number of ad networks then process the traffic according to a number of parameters and the visitor is redirected to the domain controlled by the malicious actor.
- A copycat page may be parked and contain ads or may be set up in a way that redirects traffic according to the victim’s profile.
Malwarebytes published a blog post that pinpoints a big typosquatting campaign, which uses one of the oldest methods on the internet, where attackers register websites that mimics legitimate ones. According to the investigation, the campaign started approximately one month ago.
Malvertising and tech support scams
Since the method relies on fake websites with similar domains to legitimate ones, some brands are registering domain names that can be used in typosquatting to avoid this possibility. However, there are too many possible variations and it is almost impossible to purchase all domains. Some of the real examples of website names that were mistyped and subsequently hijacked are:
- realto.com – realtor.com
- amazon.uk.com – amazon.co.uk
- poliitco.com – politico.com
- duckduckgo.cm – duckduckgo.com
- gmauil.com – gmail.com
- zillwo.com – zillow.com
- weahter.com – weather.com
- walmarat.com – walmart.com
- homedept.com – homedepot.com
Besides phishing attempts, typosquatting can be used in malvertising too, where victims are bounced through a series of redirects eventually leading to malicious advertisements. The campaign currently only targets the U.S. and some of its specific patterns are making it easier to identify, such as:
- It starts when someone makes a mistake in typing the website they want to visit
- A number of ad networks then process the traffic according to a number of parameters
- A malicious actor is bidding on certain queries, in this case typos for popular brands
- The ad network redirects the visitor to the domain controlled by the malicious actor (malvertising)
- Further profiling is applied to ignore bots, VPNs, unwanted geolocation
- The victim is sent to a temporary (and disposable) webpage on Amazon’s AWS showing a fake alert
This is not the first time that affiliatecpctracker[.]online (188.8.131.52) has a lot of historical data associated with it has scam pages for the last 3 years. Malwarebytes found numerous artifacts related to the browser locker pages such as HTML source code and some backend PHP scripts that are used to generate the phone numbers. Malwarebytes said,
« Scammers love malvertising and will continue to abuse anything that they can to get more and more victims to call their toll-free numbers. The end game is to defraud innocent people and sometimes hacking into their bank account to wire large amounts of money. »