Slashdot Mirror

← Back to Stories (view on slashdot.org)

Typosquatters Running .om Domain Scam To Push Mac Malware (threatpost.com)

Posted by BeauHD on from the slash-dot-dot-om dept.

msm1267 writes from an article on Threatpost: Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web. According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns. Mac OS X users are being singled out in this typosquatting campaign with malware. According to Endgame, when a Mac user stumbles on one of the typosquatters' webpages, a fake Adobe Flash update pops up and attempts to trick users to install the advertising component called Genieo. Endgame suspects that typosquatters are exploiting a hole in Oman's domain name registration process. When Endgame tried to register a domain it was asked to verify that it had the authority to registrar a specific commercial domain. "It's unclear how typosquatters were able to register so many domains in such a short period of time," Endgame said.

64 comments

  1. "It's unclear how typosquatters were able to.... by turkeydance · · Score: 2

    no it's not.

  2. Easy fix by BarbaraHudson · · Score: 3, Insightful

    The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re:Easy fix by 110010001000 · · Score: 2

      I hate it when things look like one thing, but actually are another.

    2. Re:Easy fix by anarkhos · · Score: 1

      What about fonts that male I look like L

      --
      >80 column hard wrapped e-mail is not a sign of intelligent
      >life
    3. Re:Easy fix by gordguide · · Score: 0

      The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

      No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

    4. Re:Easy fix by TroII · · Score: 0

      Keming is a bitch. But I don't think that would help here, a monospace font doesn't make .om look any more or less like .com.

      --
      "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
    5. Re:Easy fix by Anonymous Coward · · Score: 1

      The developer of my software used SourceForge and I got Malware, you insensitive clod!

    6. Re:Easy fix by Jeremi · · Score: 2

      No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

      You have a lot of faith in the incorruptibility of your DNS server, I see. :)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    7. Re:Easy fix by Solandri · · Score: 1

      I just gave up and started typing things like "bank of america" (actually bofa) into Google. If I make a typo, it almost always catches it and suggests the correct URL.

    8. Re:Easy fix by Anonymous Coward · · Score: 0

      Bookmark?

    9. Re:Easy fix by Anonymous Coward · · Score: 0

      Even easier is using only IP numbers. No extra cost, DNS nor ICANN.

    10. Re:Easy fix by bloodhawk · · Score: 1

      The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

      No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

      perhaps you missed the part of this story that says it is about typosquatters? I am sure Ubuntu.om or maybe redhat.om will happily serve you up your "safe" updates.

    11. Re:Easy fix by l0n3s0m3phr34k · · Score: 1

      I think the domain names would actually be redhatc.om and ubuntuc.om, were someone swapped the . and the c

    12. Re:Easy fix by bloodhawk · · Score: 1

      most likely if they are doing this they would be cover that and many other combinations, why limit yourself to one domain when 20 or 30 misspellings will net you far more careless users. What I don't understand is why they went the route of installing malware. They were in a position to get users to enter bank details and other identity information as the users thinks they are at the trusted site they typed in, malware just raises the suspicion level when they could have harvested far more by careful selection of banks and sites that don't use MFA.

    13. Re:Easy fix by DigiShaman · · Score: 2

      I know I'll catch hell for suggesting it - "breaking the internet" and all that - but perhaps it would be best if users could opt out of certain domains at the OS level. For example, I have no intention or desire to surf .RU. None at all. As far as I'm concerned, it would only serve me malware at the very least. I would block .OM there too.

      --
      Life is not for the lazy.
    14. Re:Easy fix by phishybongwaters · · Score: 1

      Because just obtaining the logins isn't enough, delivering a malware payload to the end system offers full control and monitoring. The reality is, your bank account info isn't that important, and most banks / credit cards do indeed have fraud protection. So what's the goal of malware now? Crypto locking stuff, and more importantly, crypto currency mining/generation. I can make more money than I'll even be able to steal from your bank account (tracable) by placing your device into a malware driving bitcoin farm. And for the most part, bitcoin can be harder to trace than me sending your cash to an account I've opened somewhere. If I was a bad guy, that's my plan right there with some slight modifications. If I kill and slaughter that cow I'll get a bunch of beef. BUT... if I feed it and nurture it, I might get milk for the next dozen years.

    15. Re:Easy fix by ruir · · Score: 1

      I am running an internal DNS at home, BIND+RPZ, and as reading this article I added .OM to my RPZ. Problem solved.

    16. Re:Easy fix by Anonymous Coward · · Score: 0

      Keming is a bitch.

      I see what you did there...

    17. Re:Easy fix by Maritz · · Score: 1

      If only there was a convenient way of turning those IP addresses into hostnames...

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    18. Re:Easy fix by BarbaraHudson · · Score: 1

      microsoft.com as opposed to microsoftc.om - the problem IS kerning - the dot takes up less space.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    19. Re:Easy fix by Anonymous Coward · · Score: 0

      I've got an easier fix.

      *click*

      The entire .om TLD is now blacklisted in my DNS servers.

      *click*

      The entire .om TLD gets mail routed to /dev/null

      And done. Nothing of value was lost. I suspect pretty much everyone else who's interested in not getting phished will do the same.

    20. Re:Easy fix by Anonymous Coward · · Score: 0

      this post brought to you by the letter 't ' for transsexual, which has nothing to do with the greater LGBT group

      I hate it when things look like one thing, but actually are another.

      LOL, love the context!

    21. Re:Easy fix by Raistlin77 · · Score: 1

      Hmm, maybe something like a local file that your browser could check. Maybe call it "hosts"...

  3. Really? by 110010001000 · · Score: 4, Funny

    I tried all the domains mentioned with a Mac and didn't see anything, just a bunch of 404s, domain name holding pages and redirects to the proper .com name. I guess investigative reporting isn't what it used to be. I'll be back responding to your comments once I upgrade Flash. Apparently it is out of date.

    1. Re:Really? by grantspassalan · · Score: 1

      You have a Mac and are still using flash? How quaint!

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    2. Re:Really? by xorbe · · Score: 1

      Probably you need a deep link that's something other than the front page. Fake front pages and redirections to avoid attention.

    3. Re:Really? by Anonymous Coward · · Score: 0

      could of shortened that. "You have a Mac? How Quaint!"

    4. Re:Really? by Anonymous Coward · · Score: 0

      Yes....

      YESSSSS....

      Let the hate flow through you!

      There's definitely no professional at all that uses a Mac. No siree! They all use Gods own Windows or Jesus's Linux. Yep. No professional ever would ever use a Mac. Definitely not the government and definitely not hundreds of thousands of businesses, nope not at all!

    5. Re:Really? by Anonymous Coward · · Score: 0

      Reality check: far better being quaint than irresponsible using Windows.

    6. Re:Really? by Anonymous Coward · · Score: 0

      Woosh!

    7. Re:Really? by Anonymous Coward · · Score: 0

      "could of" ?

      Do you really not know the difference between "could've" and something completely stupid?

  4. "typosquatter" by Jumunquo · · Score: 1

    I didn't know this was a word.

    I guess we can thank all the greedy folks at ICANN for the subdomain cash grab that gives typosquatters so many new possiblities.

    1. Re:"typosquatter" by SEE · · Score: 3, Informative

      No, this isn't ICANN's doing. .om is the country-code domain for Oman, under the standard policy of using ISO 3166-1 designators, as established by Jon Postel back before ICANN ever existed.

  5. O M G! by Anonymous Coward · · Score: 0

    So, resolve *.om to 0.0.0.0, you say?

    1. Re:O M G! by jtara · · Score: 1

      So, resolve *.om to 0.0.0.0, you say?

      Yes

      I doubt that most of us will miss being able to visit websites in Oman.

    2. Re:O M G! by Anonymous Coward · · Score: 0

      Well, I live next door to Oman and go there regularly for holidays, but I have never seen or used a .om domain.

    3. Re:O M G! by ruir · · Score: 1

      RPZ policy in BIND, .OM added to backlisting. If someone interested on it, I will give a link to the tutorial I wrote.

    4. Re:O M G! by Anonymous Coward · · Score: 0

      Yeah, blacklist a whole country. No, it isn't racist ... erm because err

    5. Re:O M G! by Anonymous Coward · · Score: 0

      I blacklisted all .cn and .ru domains at my mail server over a decade ago. Oddly enough, no legitimate email has ever been impacted by this. So yeah, blacklist a whole country. If that makes me racist, well, I'll see you at the next local KKK rally.

  6. Heh, mac by Anonymous Coward · · Score: 0

    I feel obligated to point this out:

    https://www.youtube.com/watch?v=qfv6Ah_MVJU

    Remember when mac users were using this as definitive proof of Apple superiority? Well, it looks like the chickens have come home to roost.

    1. Re:Heh, mac by bug_hunter · · Score: 1

      From what I understood from the article, you still have to click something on a webpage, which downloads a file you have to double click on in your file system. So you should still get
      "This was a file downloaded from the internet that has no trusted developer certificate - are you sure you want to run it" warning - where you have to update the security level in control panels to let you run it.

      For people who only run apps from the App Store (which to be fair, I wouldn't recommend) would not get into this situation thanks to App Store sandboxing. Not sure what else can be done.

      This is probably on par with Windows 10 Security, but that advert was made in the days where just previewing an email with Outlook could get you infected with a virus.

      --
      It's turtles all the way down.
    2. Re:Heh, mac by Anonymous Coward · · Score: 0

      ...in the days where just previewing an email with Outlook could get you infected with a virus.

      Last weekend?

  7. Oh, typosquatters by JustAnotherOldGuy · · Score: 1

    Oh, typosquatters, I'm always amazed at how much work you're willing to do in the hopes that you'll be able to screw people over.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Oh, typosquatters by bloodhawk · · Score: 1

      really? typosquatting is one of the easiest routes to hijack unsuspecting users. Much better than a phishing email as the user if presented right in the browser will be seeing their banks page asking them to update X or please enter your credentials. typosquatting is the lazy way to get users to your dodgy site.

    2. Re:Oh, typosquatters by meerling · · Score: 1

      Typosquatting isn't done to screw people over, it's done to screw them out of money. The generalized screwing over is just a byproduct of the financial redistribution efforts.

  8. Simple fix by Anonymous Coward · · Score: 0

    Simple fix: Add a confirmation (with option to not ask again) when domain ends in unusual TLDs like .om. Might as well also create a list for important sites, such as banks, and detect typos.

    1. Re:Simple fix by toonces33 · · Score: 1

      Good idea. We should set up a Kicksquatter to try and get this done..

    2. Re:Simple fix by Anonymous Coward · · Score: 0

      That would be really confusing for Mac owners living in Oman!

    3. Re:Simple fix by Maritz · · Score: 1

      Looks like kicksquatterc.om is free...

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  9. Its ... by PPH · · Score: 1

    ... $current_year and still using Flash.

    --
    Have gnu, will travel.
    1. Re:Its ... by chthon · · Score: 1

      Maybe Anonymous should do a campaign against king.com, so that their games do not need Flash any more.

  10. I'm trying to work out by Anonymous Coward · · Score: 0

    how it was possible for the submitter to not understand this story

  11. Re:incomplete fix by Anonymous Coward · · Score: 0

    Note: Phishing and typo squatting are different things.

    Your solution will definitely help if someone's stupid enough to click on a link to bankofarnerica.com.
    But it won't change anything if the user doesn't notice that he typed bankofamerica.om and a fancy padlock icon still appears in the browser.

    IMO, all banks should be required by international law to use a tightly-regulated TLD, and then browsers could show padlock with the local currency symbol.

  12. Re:"It's unclear how typosquatters were able to... by Anonymous Coward · · Score: 0

    So how?

  13. It isn't investigative reporting by Anonymous Coward · · Score: 0

    It's run-of-the-mill "sekiooritee" pandering to base fears of the cyber-illiterate. The summary already gives the clues. The intended audience certainly is not "nerds" but "prospective clients" to be scared into giving monies to these purveyors of imperial security blankets.

  14. Re:"It's unclear how typosquatters were able to... by Anonymous Coward · · Score: 0

    I'm just guessing here, but:
    A web interface for domain registration, and a credit card?

  15. Re:"It's unclear how typosquatters were able to... by Firefalcon · · Score: 1

    Or "Oman Data Park LLC" where at least a couple of these domains were registered through (from a quick check) was compromised?

  16. Re:"It's unclear how typosquatters were able to... by infolation · · Score: 3, Interesting

    They paid someone. Oman is endemically corrupt.

    I've worked in Muscat a number of times over the past two years and, from the start, it was immediately clear why it's considered the most corrupt country in the Arabian Gulf. If a foreigner wants some expedient business assistance from the authorities, they bribe someone. If they want the authorities to not do something, or look the other way... they bribe someone. Every business obstacle or impediment is routinely solved with bribes in Oman.

    That sounds like we were being picked on as soft targets since we were paying a lot of bribes. But this applied to every foreign company we came across dealing with Oman (in the tech sector at least). You simply cannot believe how often foreign companies dealing with Oman have to pay people to make things happen.

  17. COM? by phishybongwaters · · Score: 0

    Who the hell types .com? It's 2016 and most modern browsers (anything but IE I suspect) figure out what you mean. google in the address bar is the same as "google.com" and the only time I specify a root is when I want the Canadian site without turning on location.

    1. Re:COM? by Anonymous Coward · · Score: 0

      The same people who will tell you the address is "http: forward slash forward slash..."

    2. Re:COM? by Anonymous Coward · · Score: 0

      you suspect wrong, as your kind usually do

  18. Re:incomplete fix by castionsosa · · Score: 1

    That is a good idea. The closest to this is .com, because the "land rush" has long since petered out. However, it would be nice to have a special TLD that has a distinct color when the web page is viewed (similar to EV SSL certs), and can be used in combination with EV. Some rules that sites must follow would be things like using SSL/TLS for all web traffic (other than the initial HTTP redirect to the secure site), staying updated to security levels, some concrete proof that the site is whom they claim to be given to the TLD owner (copies of the DBA), and so on. Ideally, it would mean sites are required to meet a security standard like PCI-DSS3.2, HIPAA, CJIS, FISMA, or some other known standard of security (where violating it will mean actual pain rather than a slap on the wrist.)

    Of course, who is the gatekeeper for this domain? Ideally, it should be multiple domains so one country doesn't have the keys to the city for another. Perhaps some form of the TLD of the country with a character before it, like xde, xus, xco, so it is obvious it is a different domain, but the country of origin is standardized.

  19. More to come? by RogueWarrior65 · · Score: 1

    Tell me again why the US should give up control of the internet?

  20. Oman by Anonymous Coward · · Score: 0

    I am not good with computers