Phishers are using a typosquatted domain name designed to mimic the URL of a popular e-commerce destination in order to lure their victims to a malicious Website that prompts its visitors to download a malicious add-on that will guide users to phishing sites, even when they type legitimate URLs into their browser’s address bar.
According to a report written by Symantec’s Matthew Maniyara, the campaign’s primary motive is financial.
Fortunately, the potential success of this attack is reliant on the consent of its victims. The malicious site can only prompt users to install the add-on. Visitors to the site will see a dialogue box informing them that their browser has prevented installation and that user-permission is required if the add-on is to be installed.
In the case that Maniyara examined, the dialogue box even warns the user about only installing add-ons from trusted sources and that malicious software can damage computers.
It goes without saying that this is not an incredibly devious threat, but nevertheless, it utilizes some interesting tactics. First, when users navigate to the malicious site, it determines their browser before prompting them to install the malicious add-on that will work with that browser.
If a user allows the installation, the add-on goes into the Windows System32 directory and alters the hosts file. According to Maniyara, the hosts file is used to assign domain names to IP addresses. When a user enters a URL into their browser’s address bar, he explains, the browser checks the local DNS information, located in the hosts file, before sending the DNS query.
An un-altered host file basically translates human language (domain names and URLs) into language that the computer understands (IP addresses). In this case, however, the hosts file is modified by the add-on so that the domain names of recognizable brands are assigned new IP addresses associated with phishing sites. In this way, when a user attempts to navigate to a benign website, they end up at the malicious phishing site associated with it.
Symantec reports that the initial infection site that prompts users to download the malicious add-on is currently inactive.