Unlike with Word and other office software, your browser’s address bar doesn’t have a spell checker which is why look-alike domains are often used in phishing attacks and to spread malware.
Also known as typosquatting, this is an old tactic used by cybercriminals where they register domains that are similar to legitimate ones with the hope that potential victims misspell a website’s address and end up on a fake site instead.
As reported by BleepingComputer (opens in new tab), a new typosquatting campaign has been discovered in the wild which uses 200 fake domains impersonating 27 popular brands to trick users into downloading Android and Windows malware.
At first glance, many of these typosquatting domains seem quite convincing as the sites they point to are either clones of legitimate ones or use their logos and style. The domains in this particular campaign are close to the sites they’re impersonating with only a single letter in the wrong place or an extra “s” which can be easy for those not paying close attention to miss.
Using typosquatting to spread Android and Windows malware
This new typosquatting campaign was first discovered by the cybersecurity firm Cyble which published a blog post (opens in new tab) detailing how the cybercriminals behind it are using fake domains to impersonate app stores and even social media sites.
Some of these fake domains mimic popular Android app stores like the Google Play Store, APKCombo and APKPure. While potential victims think they’re downloading a legitimate Android app, their devices actually become infected with the ERMAC banking trojan that can steal money from your online banking accounts and the best cryptocurrency wallets.
At the same time, the cybercriminals have also set up fake sites impersonating Snapchat, TikTok, VidMate, PayPal, Google Wallet and other popular services. Here are just a few of the typosquatting domains you’ll want to look out for:
- payce-google[.]com - impersonates Google Wallet
- snanpckat-apk[.]com - impersonates Snapchat
- vidmates-app[.]com - impersonates VidMate
- paltpak-apk[.]com - impersonates PayPal
- m-apkpures[.]com - impersonates APKPure
- tiktok-apk[.]link - impersonates the download page for TikTok’s app
However, BleepingComputer also discovered a much larger typosquatting campaign launched by the same cybercriminals designed to distribute Windows malware instead. There are more than 90 fake websites impersonating popular brands in order to distribute the Vidar malware and the Agent Tesla keylogger
Some examples of typosquatting domains used to distribute Windows malware include notepads-plus-plus[.]org that impersonates the popular Notepad++ text editor, tocproject[.]com impersonating the Tor Project and braves-browsers[.]org which appears similar to the actual site for Brave Browser.
How to stay safe from typosquatting domains
Although many of the best Android browsers like Google Chrome and Microsoft Edge include typosquatting protection, this feature doesn’t always prevent users from navigating to fake websites.
To avoid accidentally navigating to a fake website with a misspelled web address, you should use a search engine to find the site you want to visit instead of trying to manually type out its name in your browser’s address bar. However, you may want to avoid clicking on any of the ads shown in the search results as cybercriminals often create and use malicious ads to impersonate legitimate websites.
To further protect your data and devices, you should consider installing one of the best antivirus software solutions on your PC or laptop running Windows as well as one of the best Android antivirus apps on your Android smartphone.
Since typosquatting can be quite profitable for cybercriminals, this attack method likely isn’t going anywhere anytime soon. For this reason, you should always be extra careful when manually writing out the addresses of popular sites in your browser.