Typosquatters Running .om Domain Scam To Push Mac Malware (threatpost.com)

← Back to Stories (view on slashdot.org)

Typosquatters Running .om Domain Scam To Push Mac Malware (threatpost.com)

Posted by BeauHD on Monday March 14, 2016 @01:25PM from the slash-dot-dot-om dept.

msm1267 writes from an article on Threatpost: Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web. According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns. Mac OS X users are being singled out in this typosquatting campaign with malware. According to Endgame, when a Mac user stumbles on one of the typosquatters' webpages, a fake Adobe Flash update pops up and attempts to trick users to install the advertising component called Genieo. Endgame suspects that typosquatters are exploiting a hole in Oman's domain name registration process. When Endgame tried to register a domain it was asked to verify that it had the authority to registrar a specific commercial domain. "It's unclear how typosquatters were able to register so many domains in such a short period of time," Endgame said.

35 of 64 comments (clear)

Min score:

Reason:

Sort:

"It's unclear how typosquatters were able to.... by turkeydance · 2016-03-14 13:36 · Score: 2

no it's not.
Easy fix by BarbaraHudson · 2016-03-14 13:37 · Score: 3, Insightful

The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:Easy fix by 110010001000 · 2016-03-14 13:40 · Score: 2
  
  I hate it when things look like one thing, but actually are another.
2. Re:Easy fix by anarkhos · 2016-03-14 13:51 · Score: 1
  
  What about fonts that male I look like L
  
  --
  >80 column hard wrapped e-mail is not a sign of intelligent
  >life
3. Re:Easy fix by Anonymous Coward · 2016-03-14 16:17 · Score: 1
  
  The developer of my software used SourceForge and I got Malware, you insensitive clod!
4. Re:Easy fix by Jeremi · 2016-03-14 17:38 · Score: 2
  
  No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.
  You have a lot of faith in the incorruptibility of your DNS server, I see. :)
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
5. Re:Easy fix by Solandri · 2016-03-14 17:47 · Score: 1
  
  I just gave up and started typing things like "bank of america" (actually bofa) into Google. If I make a typo, it almost always catches it and suggests the correct URL.
6. Re:Easy fix by bloodhawk · 2016-03-14 18:14 · Score: 1
  
  The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.
  No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.
  perhaps you missed the part of this story that says it is about typosquatters? I am sure Ubuntu.om or maybe redhat.om will happily serve you up your "safe" updates.
7. Re:Easy fix by l0n3s0m3phr34k · 2016-03-14 18:18 · Score: 1
  
  I think the domain names would actually be redhatc.om and ubuntuc.om, were someone swapped the . and the c
8. Re:Easy fix by bloodhawk · 2016-03-14 21:20 · Score: 1
  
  most likely if they are doing this they would be cover that and many other combinations, why limit yourself to one domain when 20 or 30 misspellings will net you far more careless users. What I don't understand is why they went the route of installing malware. They were in a position to get users to enter bank details and other identity information as the users thinks they are at the trusted site they typed in, malware just raises the suspicion level when they could have harvested far more by careful selection of banks and sites that don't use MFA.
9. Re:Easy fix by DigiShaman · 2016-03-14 23:31 · Score: 2
  
  I know I'll catch hell for suggesting it - "breaking the internet" and all that - but perhaps it would be best if users could opt out of certain domains at the OS level. For example, I have no intention or desire to surf .RU. None at all. As far as I'm concerned, it would only serve me malware at the very least. I would block .OM there too.
  
  --
  Life is not for the lazy.
10. Re:Easy fix by phishybongwaters · 2016-03-15 00:16 · Score: 1
  
  Because just obtaining the logins isn't enough, delivering a malware payload to the end system offers full control and monitoring. The reality is, your bank account info isn't that important, and most banks / credit cards do indeed have fraud protection. So what's the goal of malware now? Crypto locking stuff, and more importantly, crypto currency mining/generation. I can make more money than I'll even be able to steal from your bank account (tracable) by placing your device into a malware driving bitcoin farm. And for the most part, bitcoin can be harder to trace than me sending your cash to an account I've opened somewhere. If I was a bad guy, that's my plan right there with some slight modifications. If I kill and slaughter that cow I'll get a bunch of beef. BUT... if I feed it and nurture it, I might get milk for the next dozen years.
11. Re:Easy fix by ruir · 2016-03-15 00:19 · Score: 1
  
  I am running an internal DNS at home, BIND+RPZ, and as reading this article I added .OM to my RPZ. Problem solved.
12. Re:Easy fix by Maritz · 2016-03-15 00:56 · Score: 1
  
  If only there was a convenient way of turning those IP addresses into hostnames...
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
13. Re:Easy fix by BarbaraHudson · 2016-03-15 03:07 · Score: 1
  
  microsoft.com as opposed to microsoftc.om - the problem IS kerning - the dot takes up less space.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
14. Re:Easy fix by Raistlin77 · 2016-03-15 10:31 · Score: 1
  
  Hmm, maybe something like a local file that your browser could check. Maybe call it "hosts"...
Really? by 110010001000 · 2016-03-14 13:39 · Score: 4, Funny

I tried all the domains mentioned with a Mac and didn't see anything, just a bunch of 404s, domain name holding pages and redirects to the proper .com name. I guess investigative reporting isn't what it used to be. I'll be back responding to your comments once I upgrade Flash. Apparently it is out of date.
1. Re:Really? by grantspassalan · 2016-03-14 15:18 · Score: 1
  
  You have a Mac and are still using flash? How quaint!
  
  --
  A sufficiently advanced simulation is indistinguishable from reality.
2. Re:Really? by xorbe · 2016-03-14 15:38 · Score: 1
  
  Probably you need a deep link that's something other than the front page. Fake front pages and redirections to avoid attention.
"typosquatter" by Jumunquo · 2016-03-14 13:39 · Score: 1

I didn't know this was a word.
I guess we can thank all the greedy folks at ICANN for the subdomain cash grab that gives typosquatters so many new possiblities.
1. Re:"typosquatter" by SEE · 2016-03-14 15:08 · Score: 3, Informative
  
  No, this isn't ICANN's doing. .om is the country-code domain for Oman, under the standard policy of using ISO 3166-1 designators, as established by Jon Postel back before ICANN ever existed.
Oh, typosquatters by JustAnotherOldGuy · 2016-03-14 13:55 · Score: 1

Oh, typosquatters, I'm always amazed at how much work you're willing to do in the hopes that you'll be able to screw people over.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Oh, typosquatters by bloodhawk · 2016-03-14 16:46 · Score: 1
  
  really? typosquatting is one of the easiest routes to hijack unsuspecting users. Much better than a phishing email as the user if presented right in the browser will be seeing their banks page asking them to update X or please enter your credentials. typosquatting is the lazy way to get users to your dodgy site.
2. Re:Oh, typosquatters by meerling · 2016-03-14 16:59 · Score: 1
  
  Typosquatting isn't done to screw people over, it's done to screw them out of money. The generalized screwing over is just a byproduct of the financial redistribution efforts.
Re:Simple fix by toonces33 · 2016-03-14 14:27 · Score: 1

Good idea. We should set up a Kicksquatter to try and get this done..
Re:O M G! by jtara · 2016-03-14 14:29 · Score: 1

So, resolve *.om to 0.0.0.0, you say?
Yes
I doubt that most of us will miss being able to visit websites in Oman.
Its ... by PPH · 2016-03-14 14:38 · Score: 1

... $current_year and still using Flash.

--
Have gnu, will travel.
1. Re:Its ... by chthon · 2016-03-14 19:25 · Score: 1
  
  Maybe Anonymous should do a campaign against king.com, so that their games do not need Flash any more.
Re:Heh, mac by bug_hunter · 2016-03-14 18:21 · Score: 1

From what I understood from the article, you still have to click something on a webpage, which downloads a file you have to double click on in your file system. So you should still get
"This was a file downloaded from the internet that has no trusted developer certificate - are you sure you want to run it" warning - where you have to update the security level in control panels to let you run it.

For people who only run apps from the App Store (which to be fair, I wouldn't recommend) would not get into this situation thanks to App Store sandboxing. Not sure what else can be done.

This is probably on par with Windows 10 Security, but that advert was made in the days where just previewing an email with Outlook could get you infected with a virus.

--
It's turtles all the way down.
Re:"It's unclear how typosquatters were able to... by Firefalcon · 2016-03-14 20:05 · Score: 1

Or "Oman Data Park LLC" where at least a couple of these domains were registered through (from a quick check) was compromised?
Re:"It's unclear how typosquatters were able to... by infolation · 2016-03-14 21:45 · Score: 3, Interesting

They paid someone. Oman is endemically corrupt.

I've worked in Muscat a number of times over the past two years and, from the start, it was immediately clear why it's considered the most corrupt country in the Arabian Gulf. If a foreigner wants some expedient business assistance from the authorities, they bribe someone. If they want the authorities to not do something, or look the other way... they bribe someone. Every business obstacle or impediment is routinely solved with bribes in Oman.

That sounds like we were being picked on as soft targets since we were paying a lot of bribes. But this applied to every foreign company we came across dealing with Oman (in the tech sector at least). You simply cannot believe how often foreign companies dealing with Oman have to pay people to make things happen.
Re:O M G! by ruir · 2016-03-15 00:22 · Score: 1

RPZ policy in BIND, .OM added to backlisting. If someone interested on it, I will give a link to the tutorial I wrote.
Re:Simple fix by Maritz · 2016-03-15 00:59 · Score: 1

Looks like kicksquatterc.om is free...

--
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Re:incomplete fix by castionsosa · 2016-03-15 02:20 · Score: 1

That is a good idea. The closest to this is .com, because the "land rush" has long since petered out. However, it would be nice to have a special TLD that has a distinct color when the web page is viewed (similar to EV SSL certs), and can be used in combination with EV. Some rules that sites must follow would be things like using SSL/TLS for all web traffic (other than the initial HTTP redirect to the secure site), staying updated to security levels, some concrete proof that the site is whom they claim to be given to the TLD owner (copies of the DBA), and so on. Ideally, it would mean sites are required to meet a security standard like PCI-DSS3.2, HIPAA, CJIS, FISMA, or some other known standard of security (where violating it will mean actual pain rather than a slap on the wrist.)
Of course, who is the gatekeeper for this domain? Ideally, it should be multiple domains so one country doesn't have the keys to the city for another. Perhaps some form of the TLD of the country with a character before it, like xde, xus, xco, so it is obvious it is a different domain, but the country of origin is standardized.
More to come? by RogueWarrior65 · 2016-03-15 02:58 · Score: 1

Tell me again why the US should give up control of the internet?