Massive Typosquatting Racket Pushes Malware at Windows, Android Users

large-scale phishing campaign built on typosquatting is targeting Windows and Android users with malware, according to a threat intelligence firm and cybersecurity website.

The campaign currently underway uses more than 200 typosquatting domains that impersonate 27 brands to hoodwink web surfers to download malicious software to their computers and phones, BleepingComputer reported Sunday.

Threat intelligence firm Cyble revealed the campaign last week in a blog. It reported that the phishing websites deceive visitors into downloading fake Android applications impersonating Google Wallet, PayPal, and Snapchat, which contain the ERMAC banking Trojan.

BleepingComputer explained that while Cyble focused on the campaign’s Android malware, a much larger operation aimed at Windows is being deployed by the same threat actors. That campaign has more than 90 websites crafted to push malware and steal cryptocurrency recovery keys.


Typosquatting is an old technique for redirecting cyberspace travelers to malicious websites. In this campaign, BleepingComputer explained, the domains used are very close to the originals, with a single letter swapped out of the domain or an “s” added to it.

The phishing sites look authentic, too, it added. They’re either clones of the real sites or enough of a knock-off to fool a casual visitor.

Typically, victims end up at the sites by making a typo in a URL entered on the address bar of a browser, it continued, but the URLs are also sometimes inserted in emails, SMS messages, and on social media.

“Typosquatting is not novel,” said Sherrod DeGrippo, vice president for threat research and detection at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“ was sending accidental visitors to a malicious site with drive-by malware downloads as early as 2006,” DeGrippo told TechNewsWorld.

Unusual Scale

Although the campaign uses tried-and-true phishing techniques, it has some distinguishing characteristics; security experts told TechNewsWorld.

“The size of this campaign is unusual, even if the technique is old-school,” observed Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, in Tel Aviv, Israel.

“This particular campaign appears to be much larger in scale than typical typosquatting attempts,” added Jerrod Piker, a competitive intelligence analyst with Deep Instinct, a deep learning cybersecurity company in New York City.

Focusing on mobile apps is another departure from the norm, noted Grayson Milbourne, security intelligence director at OpenText Security Solutions, a global threat detection and response company.

“The targeting of mobile apps and associated websites with the goal of distributing malicious Android apps is something that isn’t new but isn’t as common as typosquatting that targets Windows software websites,” he said.

What’s interesting about the campaign is its reliance on both typing mistakes made by users and the intentional delivery of malicious URLs to targets, observed Hank Schless, senior manager for security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions.

“This appears to be a well-rounded campaign with [a] high chance of success if an individual or organization doesn’t have proper security in place,” he said.

Why Typosquatting Works

Phishing campaigns that exploit typosquatting don’t need to be innovative to succeed, maintained Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.

“All typosquatting campaigns are fairly effective without needing advanced or new tricks,” he told TechNewsWorld. “And there are many advanced tricks, such as homoglyphic attacks, that add another layer that could fool even the experts.”

Homoglyphs are characters that resemble each other, such as the letter O and zero (0), or the uppercase I and the lowercase letter l (EL), which look identical in a sans serif font, like Calibri.

“But you don’t find a ton of these more advanced attacks out there because they don’t need them to be successful,” Grimes continued. “Why work hard when you can work easy?”

Leave a Reply

Your email address will not be published.