Massive Fake Website Campaign Spreading Malware detected

Security researchers have detected a big malware campaign that is using fake websites to impersonate popular products and brands to spread malware. So-called typosquatting attacks register domain names that resemble the domain names of legitimate products. Many times, only a single character is different, added or removed from the domain name.
While observant Internet users may spot the fake site by looking at the domain name, many rely on visual elements of the site instead to judge its authentiticy.
The campaign uses at least over 200 typosquatting domains to impersonate 27 brands, including TikTok, Figma, PayPal, SnapChat, APK Pure, Google Wallet or Microsoft Visual Studio Code.
Originally detected by cyber-security firm Cyble, the company believed that the campaign was targeting Android primarily by creating fake sites to download Android APK files. Our colleagues over at Bleeping Computer discovered that the campaign extends beyond Android, as it targets brands in software, cryptocurrency and other niches as well.
Even popular open source programs, such as Notepad++, Thunderbird or Tor Browser, are among the impersonated brands. Some domain names look very similar to the original and most websites look like exact replicas of the original sites.
The campaign spreads different types of malware. Bleeping Computer found the info-stealing malware Vidar Stealer on a fake Notepad++ site, and the Agent Tesla keylogger and RAT on a site impersonating the Tor Project website.
The malicious sites are spread using various methods, including by email, by accidental typos from users, and other means, which may include via chat messages, social sites or by SMS.
Most sites should be blocked in modern web browsers by now. An attempt to open them in a browser should display a security warning. There is the chance, however, that new sites are created that are not yet blocked.
The main protection against these type of sites is to check the address of the site before interacting with it. It takes just a second or two to check the URL of the site and determine whether it is the real site or not. If users do not know the real domain, they may use search engines to find the right homepage. Sometimes, local data may also help in identifying the correct website.
It is also a good idea to avoid clicking on any links in emails and on social sites.
Now You: do you check website addresses before interacting with them?
NextDNS protects you from this kind of stuff, among other things.
Egde Chromium has typosquatting protection. At least is a good thing! Thanks for the article!
FYI: The rules for domain names are explained here
https://defensivecomputingchecklist.com/DomainNameRules.php
along with many examples of the tricks bad guys use to scam people. If you don’t need this, you must know people who do.
Thanks Marc, that was helpful.
Does SecureDNS prevent this?
It does not. However a more responsible DNS provider will probably do a better job of weeding out scam sites than your ISP. I suggest Quad9 or Cloudflare for DNS.
Yup. I always check.
What I usually do is instead of typing in a website by hand (prone to mistakes and maybe end up on one of these malware websites) I Google what I want and most likely the first result is what I’m looking for “curated” by Google.
Thanks Martin. Yes indeed I do, and have been doing so for quite some time now.
Checking the URL on a PC is a piece of cake, but on a smartphone is where it gets tricky due to the size of the screen. I would imagine that a lot of people will get caught out by these fake sites if they surf on a phone.
I’ve bookmarked most sites I visit on a regular basis. While bookmarking I always check full website address and title. So these sites get autofilled.
For new sites I only check main domain but that’s it. So there’s definitely room for improvement.
> Now You: do you check website addresses before interacting with them?
I’m afraid I do not. Perhaps my consistent domain and ip blocklists do (system-wide plus browser-specific uBO), though neither has blocked a connection in terms of url falsification for what I remember, meaning no such url was encountered or otherwise failed to be spotted by the blocklists, of course.
I’ll be on my guards thanks to this article.