- ICO Warns of Festive Mobile Phone Privacy Snafu
- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
Typosquat Campaign Targeting Android, Windows Users Now Counts 600+ Domains
Security researchers have uncovered several pivots that suggest a much larger set of domains associated with a massive typosquat campaign discovered by Cyble and Bleeping Computer over the weekend.
The attacks, targeting Windows and Android users, mimicked 27 brands across over 200 typosquatting domains.
DomainTools is now saying they have uncovered additional suspicious infrastructure, which the company detailed in a blog post shared with Infosecurity.
“By including DNS-based pivots that go beyond the host’s IP address, the list of suspicious domains grew to more than 600, with 9 of these created in the last week and well over 400 still active and not yet on common 3rd party threat intel feeds and blocking lists,” reads the technical write-up.
“With the connection to the ever-popular Vidar stealer and other malware, we can reasonably conclude that the ultimate goal is to steal credentials to app accounts, crypto wallets, etc., and perhaps use infected hosts as proxies for further malicious activity.”
While most of the domain registrations took place in the second half of 2022, DomainTools said records seen by the team show ones dating back to the fall of 2021. The company has compiled a complete list of the more than 600 identified domains, which is available at this link.
After reviewing the new domains, the security researchers have said they all look to use similar web page designs as possible lures.
“If they follow a similar pattern, they would deliver a variety of malware, most of which is designed to achieve persistence on the infected device as well as potential use for the delivery of future lures to unsuspecting targets.”
DomainTools has said they have not validated any specific malicious sites but that the public should be aware of the full scope of activity tied to this campaign and avoid these domains until further investigation.
“We recommend that defenders immediately block or alert these 600+ questionable domains until they can determine if they are malicious.”
For more information about how cyber-criminals are using new tactics to increase chances of success in phishing attacks, you can read this analysis by cybersecurity blogger Farwa Sajjad.