Typosquat Campaign Targeting Android, Windows Users Now Counts 600+ Domains

Security researchers have uncovered several pivots that suggest a much larger set of domains associated with a massive typosquat campaign discovered by Cyble and Bleeping Computer over the weekend.

The attacks, targeting Windows and Android users, mimicked 27 brands across over 200 typosquatting domains.

DomainTools is now saying they have uncovered additional suspicious infrastructure, which the company detailed in a blog post shared with Infosecurity.

“By including DNS-based pivots that go beyond the host’s IP address, the list of suspicious domains grew to more than 600, with 9 of these created in the last week and well over 400 still active and not yet on common 3rd party threat intel feeds and blocking lists,” reads the technical write-up.

“With the connection to the ever-popular Vidar stealer and other malware, we can reasonably conclude that the ultimate goal is to steal credentials to app accounts, crypto wallets, etc., and perhaps use infected hosts as proxies for further malicious activity.”

While most of the domain registrations took place in the second half of 2022, DomainTools said records seen by the team show ones dating back to the fall of 2021. The company has compiled a complete list of the more than 600 identified domains, which is available at this link.

After reviewing the new domains, the security researchers have said they all look to use similar web page designs as possible lures.

“If they follow a similar pattern, they would deliver a variety of malware, most of which is designed to achieve persistence on the infected device as well as potential use for the delivery of future lures to unsuspecting targets.”

DomainTools has said they have not validated any specific malicious sites but that the public should be aware of the full scope of activity tied to this campaign and avoid these domains until further investigation.

“We recommend that defenders immediately block or alert these 600+ questionable domains until they can determine if they are malicious.”

For more information about how cyber-criminals are using new tactics to increase chances of success in phishing attacks, you can read this analysis by cybersecurity blogger Farwa Sajjad.

What’s Hot on Infosecurity Magazine?