Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web.
According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns.
Mac OS X users are being singled out in this typosquatting campaign with malware. According to Endgame, when a Mac user stumbles on one of the typosquatters’ webpages a fake Adobe Flash update pops up and attempts to trick users to install the advertising component called Genieo.
Genieo, according to Endgame, is a, “common OS X malware / adware variant” that “typically infiltrates the user’s system by posing as an Adobe Flash update.” Once on the targeted computer, Endgame said, Genieo drops an OS X DMG container. “Genieo then entrenches itself on the host by installing itself as an extension on various supported browsers (Chrome, Firefox, Safari),” wrote Mark Dufresne, director of malware research and threat intelligence for security software company Endgame, in a company blogpost.
Windows PC users who visit one of the typosquatter sites are redirected an ad network where they are peppered with online ads. “Destination web pages will almost assuredly be riddled with advertisements, surveys to complete for free electronics, or scareware tactics to entice users to download and execute an antivirus suite that leads to further headaches and intrusive advertising,” Dufresne said.
“We haven’t seen this escalate beyond typosquatters pushing the well-known Genieo malware and ad networks,” Dufresne said in an interview with Threatpost. “But given the volumes of misdirected traffic to .om, this could be used as an effective tool to distribute much more serious threats,” he said.
Part of Endgame’s examination of the typosquatting campaign included looking at the registration patterns for the domain names and where the sites serving up malware and ads were hosted. “The 334 .om sites related to well-known Internet properties are hosted on 15 different hosting providers,” Dufresne wrote. A large chunk of those sites were hosted by providers located in New Jersey.
“Very unsurprisingly, the software stack on these servers was uniform,” Dufresne said. He added, many of the servers behind the domains have unpatched vulnerabilities allowing remote access. “These hosts could easily be exploited by other actors to serve up alternate (possibly worse) malicious content than what’s currently being served,” he said.
Threatpost’s emails to .om’s domain registry agency, Telecom Regulatory Authority, seeking comment were not returned.
The .om domain is classified as a country code top-level domain (ccTLD) used primarily for countries. The ccTLDs are not contractually bound to Internet Corporation for Assigned Names and Numbers, the internet domain names governing body. That leaves domain name disputes for ccTLD to be resolved using local laws, according to ICANN in an email to Threatpost. ICANN’s policies do extend to generic TLDs, such as com, net, edu and gov.
Dufresne suspects that typosquatters are exploiting a hole in Oman’s domain name registration process. He told Threatpost when Endgame tried to register a domain it was asked to verify that it had the authority to registrar a specific commercial domain. “It’s unclear how typosquatters’ were able to register so many domains in such a short period of time,” Dufresne said.
One thing Dufresne said he could verify, “The vast majority of .om registered domains are malicious, according to our research, and they are receiving a non-trivial amount of traffic… Furthermore, typosquatting techniques could be used by more persistent and patient adversaries to gain remote access to targeted victims.”