If you’re a sloppy URL typist, you could end up paying the price with malware. According to Endgame , a cybersecurity company, hackers have developed a new kind of url hijacking campaign called typosquatting that targets users of popular sites like Netflix, Amazon, Gmail and hundreds of others. If successful, the attackers can serve an onslaught of adware, or in some cases, install more serious data-stealing malware.
What Is Typosquatting?
Typosquatting is a form of URL hijacking. URL hijacking occurs when an attacker purchases a domain name similar to another for the purposes of gaining more traffic or serving up malware. Some types of url hijacking we’ve seen in the past involved domains with similar names but different website suffixes. For example, typing in USA.com will take you to something entirely different than typing USA.gov.
With typosquatting, attackers target users who misspell URLs. In this case, the attackers primarily focused on typos that leave out the “c” in .com. So if you type in "Amazon.om" or even "Amazonc.om," you’ll be redirected to a site serving up malicious malware for those who may not be savvy enough to recognize it as such.
What Does The .Om Typosquatting Malware Do?
Researchers at Endgame discovered this latest typosquatting campaign over the weekend when an employee accidentally typed “Netflix.om” in his browser instead of Netflix.com. Normally, typing in a URL incorrectly would give you a DNS resolution error, telling you the domain didn’t exist. But since an attacker purchased the incorrect URL, the Endgame employee’s browser was instead redirected several times before landing on a page that mimicked a “Flash Updater” prompt, accompanied by numerous annoying pop-ups that made it appear as though he was being attacked by malware and updating would fix the issue.
For those who are fairly web savvy, this is an easy ploy to see through, but for those who aren’t as familiar, the scenario is terrifying enough that they will immediately start the Flash Updater, in hopes of remedying the problem. Users fooled by the typosquatting ploy are far from safe. By answering to the Flash Updater prompt, they inadvertently install Genieo Adware instead. Both Mac and Windows users are susceptible to the adware attacks. Once initiated, the Genieo adware installs itself as an extension on supported browsers like Chrome, Firefox and Safari to serve an endless stream of annoying ads and popups. Genieo malware can also modify configurations on the browser like changing the default homepage.
Why “.Om: Typosquatting Shouldn’t Be Ignored
While, for users, the appearance of these new typosquatting attacks are largely just an annoyance, for website owners it could be a signal to up their typosquatting mitigation strategies, says Endgame . Though Genieo is largely a harmless adware attack, in the future attackers could use similar methods for a more sinister act, like spoofing a real site to harvest login credentials, placing backdoors on a system or installing ransomware.
In the case of Netflix and other sites where attackers can anticipate a large influx of traffic due to the release of something like House of Cards, typosquatting mitigation should become a serious part of its information security strategy. With possible victims flocking to sites like these at predictable times, attackers are sure to capture some wins along the way.
For more about typosquatting mitigation and how to fix a computer infested with the Genieo malware see Endgame’s entire report here. Or to view the list of Websites targeted in this latest typosquatting attack, click here.
