Malware in Windows and Android users

A large-scale phishing campaign built on typosquatting is targeting Windows and Android users with malware, according to a threat intelligence firm and cybersecurity website.

The ongoing campaign uses more than 200 typosquatting domains posing as 27 brands to trick web surfers into downloading malware onto their computers and phones. BleepingComputer reports Sunday.

Threat intelligence company Cyble featured the campaign last week on the blog. Phishing websites are reportedly tricking visitors into downloading fake Android apps that mimic Google Wallet, PayPal and Snapchat and contain the ERMAC banking trojan.

BleepingComputer explained that while Cyble focused on the company’s Android malware, a much larger operation targeting Windows is being deployed by the same threat actors. This company has over 90 websites created to promote malware and theft Cryptocurrency Recovery Keys.

Typosquatting is an old technique for redirecting cyberspace travelers to malicious sites. In this campaign, BleepingComputer explained, the domains used are very close to the original ones, with one letter replaced from the domain, or with an “s” added.

Phishing sites also look genuine, he added. They are either clones of real sites or fake enough to fool the casual visitor.

Typically, victims get to the sites by making a mistake in the URL entered in the browser’s address bar, but sometimes URLs are also pasted into emails, SMS messages, and social media.

“Typesquatting is nothing new,” said Sherrod Degrippa, vice president of research and threat detection. Proofcorporate security company in Sunnyvale, California.

“Goggle.com sent random visitors to a malicious site with offline downloads of malware back in 2006,” Degrippa told TechNewsWorld.

An unusual scale

Although the company uses proven phishing techniques, it has some distinctive characteristics; security experts told TechNewsWorld.

“The size of this company is extraordinary, even if the technology is old school,” noted Mike Parkin, the company’s senior technical engineer Vulcan Cybera SaaS provider for enterprise cyber risk mitigation, in Tel Aviv, Israel.

“This particular campaign appears to be much larger than the usual print takeover attempts,” added Jerrod Pyker, a competitive intelligence analyst at Deep instincta deep learning cybersecurity company in New York.

The focus on mobile apps is another departure from the norm, noted Grayson Milburn, director of security at OpenText Security Solutionsa global threat detection and response company.

“Targeting mobile apps and related websites to spread Android malware isn’t new, but it’s not as common as typo squatting targeting Windows software websites,” he said.

What’s interesting about the campaign is that it relies on both input errors made by users and deliberate delivery of malicious URLs to targets, said Hank Schless, senior manager of security solutions at Observationala mobile phishing solutions provider in San Francisco.

“It seems like a well-thought-out campaign [a] the chances of success are high if an individual or organization does not have adequate security,” he said.

Why Typosquatting Works

Phishing campaigns that use scripting don’t have to be innovative to succeed, says Roger Grimes, a defense evangelist at KnowBe4security training provider in Clearwater, Florida.

“All typosquatting campaigns are quite effective without requiring advanced or new techniques,” he told TechNewsWorld. “And there are many advanced techniques, such as homoglyph attacks, which add another layer that can fool even experts.”

Amoglyphs are characters that look alike, such as the letter O and a zero (0), or an uppercase I and a lowercase l (EL), which look the same in a sans-serif font like Calibri.

“But you’re not going to find a ton of these more advanced attacks because they’re not necessary to succeed,” Grimes continued. “Why work hard when you can work easy?”

Typosquatting works on trust, argued Abhay Bhargav, the company’s CEO AppSecEngineersecurity training provider in Singapore.

“People are so used to seeing and reading well-known names that they think that a website, app or software package with the same name and logo is the same as the original product,” Bhargau told TechNewsWorld.

“People don’t think about the slight inconsistencies in spelling or domain that distinguish an original product from a fake,” he said.

Some domain registrars deserve the blame

Payker explained that it’s very easy to “stick your finger” while typing in a URL, which is why PayPal becomes PalPay.

“It would get a lot of hits,” he said, “especially since spam attacks usually present a web page that is essentially a clone of the original.”

“Attackers also hijack multiple similar domains to ensure that many different typos will match,” he added.

Current domain registration systems aren’t helping either, Grimes argued.

“The problem is exacerbated by the fact that some services allow bad websites to obtain TLS/HTTPS domain certificates, which many users believe means the website is safe and secure,” he explained. “More than 80% of malware sites have a digital certificate. It makes a mockery of the whole public key infrastructure system.”

“Furthermore,” Grimes continued, “the Internet’s domain naming system is broken, allowing apparently fake Internet domain registrars get rich by registering domains which are easily seen will be used in some misdirected attack. Profit incentives that reward registrars for looking the other way are a big part of the problem.”

Mobile browsers are more responsive

Hardware form factors can also contribute to the problem.

“Typosquatting is much more effective on mobile devices because of the way mobile operating systems are built to simplify the user experience and minimize clutter on a smaller screen,” Schles explained.

“Mobile browsers and apps shorten URLs to improve the user experience, so a victim may not see the full URL, much less see a typo in it,” he continued. “People don’t usually look at a URL on mobile, which they can do on a computer by hovering over it.”

Sylvester Schebeny, CISO and Co-Founder Treasurya Zurich-based email security company.

“As far as running Trojans, not a lot, because people usually use the app or play stores,” he told TechNewsWorld.

How to protect yourself from typosquatting

To protect yourself from becoming a phishing victim, Pyker advised users to never click on links in SMS messages or emails from unknown senders.

He also advised being careful when entering URLs, especially on mobile devices.

DeGrippo added, “If the user is in doubt, the user can Google the established domain name directly instead of clicking on the direct link.”

In the meantime, Schles suggested that people trust their mobile devices a little less.

“We know we need to install anti-malware and anti-phishing solutions on our computers, but we have an inherent trust in mobile devices, so we don’t think we need to do the same on iOS and Android devices,” said he

“This campaign is one of countless examples of how threat actors are using that trust against us,” he noted, “which shows why it’s so important to have a security solution built specifically for mobile threats on your smartphone and tablet.”