This typosquatting campaign is using over 200 domains to compromise Windows and Android users

More than 20 brands impersonated

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An enormousmalwaredistribution campaign has been detected leveraging more than 200 malicious domains and impersonating more than two dozen global brands to distribute all kinds of malware for bothAndroidand Windowsoperating systems.

Cybersecurity researchers from Cyble first spotted the campaign seeking to distribute various malware among Android users.

In the campaign, the unknown threat actors set up countless domains that seem almost identical to real domains belonging to major brands such as PayPal, SnapChat, TikTok, and others. The domains only have a single character that’s different, that’s missing, or that’s extra.

Android and Windows users attacked

This type of fraud is usually called “typosquatting” and it’s used in all kinds of attacks, for example, on GitHub, where attackers create repositories with names almost identical to legitimate repositories, to try and distributemalware.

BleepingComputerthen expanded on this research to find numerous other domains distributing malware among Windows users, as well. The exact advertisement method for these domains is unknown, but the publication suggests it’s either the victims themselves mistyping the domains on their devices, or threat actors engaging in phishing and other forms of social engineering. We shouldn’t forgetSEOpoisoning, though.

What is phishing and how dangerous is it?>Tackling malicious domains and typosquatting>These are the best antivirus programs right now

It was also determined that the threat actors used this big typosquatting campaign to deliver all kinds of malware. In some cases, they were distributing the Vidar Stealer, and in other - Agent Tesla. Vidar is capable of stealing banking information, stored passwords, browser history, IP addresses, details about cryptocurrency wallets and, in some cases, MFA information, as well. Agent Tesla, first discovered some eight years ago, is capable of stealing credentials from many popular apps including web browsers, VPN software and FTP and email clients.

The researchers believe the threat actors are currently experimenting with different malware variants until they see what works best. Besides malware, the researchers also found the ethersmine[.]com website which tries to steal seed phrases for people’s Ethereum wallets.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

5 must-have Android apps