Massive Fake Website Campaign Spreading Malware detected

Martin Brinkmann
Oct 24, 2022

Security researchers have detected a big malware campaign that is using fake websites to impersonate popular products and brands to spread malware. So-called typosquatting attacks register domain names that resemble the domain names of legitimate products. Many times, only a single character is different, added or removed from the domain name.

deceptive site warning

While observant Internet users may spot the fake site by looking at the domain name, many rely on visual elements of the site instead to judge its authentiticy.

The campaign uses at least over 200 typosquatting domains to impersonate 27 brands, including TikTok, Figma, PayPal, SnapChat, APK Pure, Google Wallet or Microsoft Visual Studio Code.

Originally detected by cyber-security firm Cyble, the company believed that the campaign was targeting Android primarily by creating fake sites to download Android APK files. Our colleagues over at Bleeping Computer discovered that the campaign extends beyond Android, as it targets brands in software, cryptocurrency and other niches as well.

Even popular open source programs, such as Notepad++, Thunderbird or Tor Browser, are among the impersonated brands. Some domain names look very similar to the original and most websites look like exact replicas of the original sites.

The campaign spreads different types of malware. Bleeping Computer found the info-stealing malware Vidar Stealer on a fake Notepad++ site, and the Agent Tesla keylogger and RAT on a site impersonating the Tor Project website.

The malicious sites are spread using various methods, including by email, by accidental typos from users, and other means, which may include via chat messages, social sites or by SMS.

Most sites should be blocked in modern web browsers by now. An attempt to open them in a browser should display a security warning. There is the chance, however, that new sites are created that are not yet blocked.

The main protection against these type of sites is to check the address of the site before interacting with it. It takes just a second or two to check the URL of the site and determine whether it is the real site or not. If users do not know the real domain, they may use search engines to find the right homepage. Sometimes, local data may also help in identifying the correct website.

It is also a good idea to avoid clicking on any links in emails and on social sites.

Now You: do you check website addresses before interacting with them?

Massive Fake Website Campaign Spreading Malware detected
Article Name
Massive Fake Website Campaign Spreading Malware detected
A new malware campaign has been detected that uses more than 200 sites to impersonate legitimate brands and spread malware.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Trey said on October 25, 2022 at 8:52 am

    NextDNS protects you from this kind of stuff, among other things.

  2. John G. said on October 24, 2022 at 9:35 pm

    Egde Chromium has typosquatting protection. At least is a good thing! Thanks for the article!

  3. Marc said on October 24, 2022 at 6:49 pm

    FYI: The rules for domain names are explained here

    along with many examples of the tricks bad guys use to scam people. If you don’t need this, you must know people who do.

    1. Yash said on October 25, 2022 at 7:22 am

      Thanks Marc, that was helpful.

  4. Ipnonymous said on October 24, 2022 at 6:13 pm

    Does SecureDNS prevent this?

    1. Jim said on October 24, 2022 at 6:52 pm

      It does not. However a more responsible DNS provider will probably do a better job of weeding out scam sites than your ISP. I suggest Quad9 or Cloudflare for DNS.

  5. Alex said on October 24, 2022 at 4:55 pm

    Yup. I always check.
    What I usually do is instead of typing in a website by hand (prone to mistakes and maybe end up on one of these malware websites) I Google what I want and most likely the first result is what I’m looking for “curated” by Google.

  6. Derek Clements said on October 24, 2022 at 3:50 pm

    Thanks Martin. Yes indeed I do, and have been doing so for quite some time now.

  7. Anonymous said on October 24, 2022 at 3:44 pm

    Checking the URL on a PC is a piece of cake, but on a smartphone is where it gets tricky due to the size of the screen. I would imagine that a lot of people will get caught out by these fake sites if they surf on a phone.

  8. Yash said on October 24, 2022 at 3:42 pm

    I’ve bookmarked most sites I visit on a regular basis. While bookmarking I always check full website address and title. So these sites get autofilled.

    For new sites I only check main domain but that’s it. So there’s definitely room for improvement.

  9. Tom Hawack said on October 24, 2022 at 1:34 pm

    > Now You: do you check website addresses before interacting with them?

    I’m afraid I do not. Perhaps my consistent domain and ip blocklists do (system-wide plus browser-specific uBO), though neither has blocked a connection in terms of url falsification for what I remember, meaning no such url was encountered or otherwise failed to be spotted by the blocklists, of course.

    I’ll be on my guards thanks to this article.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.