One of the most enduring of these exploits is the practice of typosquatting - i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts.
These look-alikes prey on users' inattention to verifying legitimate websites, and sometimes rely on human mistakes, such as entering a typo in a URL, to capture victims.
Some of these domains have small deliberate spelling errors, adding a hyphen or substituting similar-looking characters; one of the early typosquatted domains was Goggle.com, which was quickly taken down when it was discovered by Google.
Even though the tactic has been around for decades, attackers are getting more sophisticated and learning how to better disguise their fake domains and messages to be more effective in spreading their malware and stealing data and funds from inattentive users.
Typosquatting Attacks on the Rise Typosquatting's continued prevalence was most recently demonstrated by a worrying spike in Bifrost Linux malware variants during the past few months that use fake VMware domains.
There are many other recent examples of typosquatting attacks too.
These include the emergence of scam sites that rely on brand impersonation, a spate of fake job hiring websites, phishing efforts from the SolarWinds supply chain attackers back in 2022, and crooks misusing X's for-pay badge system in 2023, among many others.
Renée Burton, head of threat intelligence at Infoblox, has been tracking these criminals.
Infoblox's telemetry - which analyzes billions of network data points each day - spots more than 20,000 such domains weekly.
Typosquatting criminals are constantly refining their craft in what seems to be a never-ending cat and mouse conflict.
The report shows an increasing sophistication in the use of typosquatting lures: not just for phishing or simple fraud but also for more advanced schemes, such as combining websites with fake social media accounts, using nameservers for major spear-phishing email campaigns, setting up phony cryptocurrency trading sites, stealing multifactor credentials and substituting legitimate open-source code with malicious to infect unsuspecting developers.
Criminals have also gotten more reactive to news events, such as creating fake sites to take donations intended for earthquake disaster relief.
A new twist was recently found by Akamai, focusing on the hospitality industry.
Szurdi found the practice had increased over time and that the domain squatters invest significant resources in operating their criminal businesses.
The paper maps out their ecosystem as shown below, including 1) incoming traffic, 2) creating phishing pages, 3) serving up malware, and 4) redirecting to alternative domains and other methods.
The typosquatting ecosystem with various ways criminals can generate funds.
It helps to pay more careful attention, especially when browsing websites on mobile devices.
One way is to use one of many alternative domain name service providers, such as OpenDNS and Google's DNS. These include typosquatting protection that recognizes the exploit for the larger web destinations.
These protections can't keep up with the thousands of new typo domains registered each day.
Security awareness training exercises are useful to help sensitize users with various ways to recognize the exploit.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 11 Mar 2024 21:25:19 +0000