U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Bitcoin case – How cybercriminals exploit typosquatting

How cyber criminals could exploit typosquatting? The case of MtGox proposed by MalwareBytes, a fake domain used to serve malicious codes. Typosquatting, also called URL hijacking, is a common form of hacking which relies on mistakes such as typographical errors made by Internet users when typing the website address into the address bar of their browser. Should a user […]

Bitcoin case – How cybercriminals exploit typosquatting

How cyber criminals could exploit typosquatting? The case of MtGox proposed by MalwareBytes, a fake domain used to serve malicious codes.

Typosquatting, also called URL hijacking, is a common form of hacking which relies on mistakes such as typographical errors made by Internet users when typing the website address into the address bar of their browser. Should a user accidentally enter an incorrect website address, they may be led to URLs related to websites managed by cybercriminals.

Criminals could operate substantially with two different techniques to exploit typosquating:

  • register domains having URLs similar to legitimate websites belonging to popular brands.
  • analyze the topic of interest in a particular period registering domain with URL similar to legitimate website reporting the information of interest.

Let’s wear the clothes of the cyber criminal and try to take advantage of the second scenario, the first topic I have in mind is Bitcoin so let’s verify if it could be a good idea to exploit typosquatting on URL related to websites that propose information on the popular virtual currency. Google Trends is a mine of information and looking at the below graph it is possible to note an increasing interest on the topic confirmed by the number of research on it. This means that a huge quantity of Internet users searches for Bitcoin information and navigate on Bitcon website.

typosquatting Bitcoin trend 2013

Malwarebytes security firm published an interesting post titled “Typo Trouble in Bitcoin Land” to show how much dangerous could be a typosquatting on the  World’s Largest Bitcoin exchange Mt. Gox.

Looking at the image below it is possible to not that cybercriminals exploited the error made by users typing “mtegox(.)com” instead “mtgox.com”.

typosquatting Bitcoin trend 2013 MTgox

The site is managed by cybercriminals, currently it is down, and was a repository of malicious files served to users under the pretense of “This file is needed to do x with your Bitcoins”.

VirusTotal provided a detailed analysis of the malicious domain demonstrating that typosquatting method was used in the specific case by the attackers.

typosquatting Bitcoin trend 2013 Virus Total

The experts at MalwareBytes discovered that running the malicious file the executable deletes the original file, placing additional hidden folders and files on the infected machine.

“That particular foldername shows up in a couple of sandbox reports and other pieces of analysis, including Malwr, a Joe Sandbox report and Lavasoft with the last two referencing a dayzstreaming website offering up yet more files.”

Malwarebytes Anti-Malware detects the above as Spyware.Zbot.ED, and it is currently pegged at 39/49 on VirusTotal.

The malicious domain is full of other malicious elements a good reason to consider typosquatting a serious menace. A good practice is to be sure to double-check any and all “gox” themed URLs sent your way.

Typosquatting could be effective to arrange phishing campaigns or to serve malicious code such as spyware and Bitcoin miner, good advice is to double check URLs before submit them.

Pierluigi Paganini

(Security Affairs –  Typosquatting, cybercrime)