Typosquatters Running .om Domain Scam To Push Mac Malware

msm1267 writes from an article on Threatpost: Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web. According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om suffix for U.S. companies and services such as Citibank, Dell, Macys and Gmail. Endgame made the discovery last week and reports that several groups are behind the typosquatter campaigns. Mac OS X users are being singled out in this typosquatting campaign with malware. According to Endgame, when a Mac user stumbles on one of the typosquatters' webpages, a fake Adobe Flash update pops up and attempts to trick users to install the advertising component called Genieo. Endgame suspects that typosquatters are exploiting a hole in Oman's domain name registration process. When Endgame tried to register a domain it was asked to verify that it had the authority to registrar a specific commercial domain. "It's unclear how typosquatters were able to register so many domains in such a short period of time," Endgame said.

"It's unclear how typosquatters were able to....

[turkeydance]

no it's not.

Re:

[Firefalcon]

Or "Oman Data Park LLC" where at least a couple of these domains were registered through (from a quick check) was compromised?

Re:"It's unclear how typosquatters were able to...

[infolation]

They paid someone. Oman is endemically corrupt.

I've worked in Muscat a number of times over the past two years and, from the start, it was immediately clear why it's considered the most corrupt country in the Arabian Gulf. If a foreigner wants some expedient business assistance from the authorities, they bribe someone. If they want the authorities to not do something, or look the other way... they bribe someone. Every business obstacle or impediment is routinely solved with bribes in Oman.

That sounds like we were being picked on as soft targets since we were paying a lot of bribes. But this applied to every foreign company we came across dealing with Oman (in the tech sector at least). You simply cannot believe how often foreign companies dealing with Oman have to pay people to make things happen.

Easy fix

[BarbaraHudson]

The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

Re:

[110010001000]

I hate it when things look like one thing, but actually are another.

Re:

[anarkhos]

What about fonts that male I look like L

Re:

[gordguide]

The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

Re:

[Anonymous Coward]

The developer of my software used SourceForge and I got Malware, you insensitive clod!

Re:

[Jeremi]

No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

You have a lot of faith in the incorruptibility of your DNS server, I see. :)

Re:

[bloodhawk]

The easy fix is to switch to a fixed-width, fixed-size font so that things like bankofarnerica don't look like bankofamerica, etc.

No, the easy fix is to never update software from anywhere other than the developer's website. Has the bonus feature of always working now and forever on every OS.

perhaps you missed the part of this story that says it is about typosquatters? I am sure Ubuntu.om or maybe redhat.om will happily serve you up your "safe" updates.

Re:

[l0n3s0m3phr34k]

I think the domain names would actually be redhatc.om and ubuntuc.om, were someone swapped the . and the c

Re:

[bloodhawk]

most likely if they are doing this they would be cover that and many other combinations, why limit yourself to one domain when 20 or 30 misspellings will net you far more careless users. What I don't understand is why they went the route of installing malware. They were in a position to get users to enter bank details and other identity information as the users thinks they are at the trusted site they typed in, malware just raises the suspicion level when they could have harvested far more by careful select

Re:

[Rob MacDonald]

Because just obtaining the logins isn't enough, delivering a malware payload to the end system offers full control and monitoring. The reality is, your bank account info isn't that important, and most banks / credit cards do indeed have fraud protection. So what's the goal of malware now? Crypto locking stuff, and more importantly, crypto currency mining/generation. I can make more money than I'll even be able to steal from your bank account (tracable) by placing your device into a malware driving bitco

Re:

[BarbaraHudson]

microsoft.com as opposed to microsoftc.om - the problem IS kerning - the dot takes up less space.

Re:

[castionsosa]

That is a good idea. The closest to this is .com, because the "land rush" has long since petered out. However, it would be nice to have a special TLD that has a distinct color when the web page is viewed (similar to EV SSL certs), and can be used in combination with EV. Some rules that sites must follow would be things like using SSL/TLS for all web traffic (other than the initial HTTP redirect to the secure site), staying updated to security levels, some concrete proof that the site is whom they claim t

Re:

[Solandri]

I just gave up and started typing things like "bank of america" (actually bofa) into Google. If I make a typo, it almost always catches it and suggests the correct URL.

Re:

[Maritz]

If only there was a convenient way of turning those IP addresses into hostnames...

Re:

[Raistlin77]

Hmm, maybe something like a local file that your browser could check. Maybe call it "hosts"...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ruir]

I am running an internal DNS at home, BIND+RPZ, and as reading this article I added .OM to my RPZ. Problem solved.

Really?

[110010001000]

I tried all the domains mentioned with a Mac and didn't see anything, just a bunch of 404s, domain name holding pages and redirects to the proper .com name. I guess investigative reporting isn't what it used to be. I'll be back responding to your comments once I upgrade Flash. Apparently it is out of date.

Re:

[grantspassalan]

You have a Mac and are still using flash? How quaint!

Re:

[xorbe]

Probably you need a deep link that's something other than the front page. Fake front pages and redirections to avoid attention.

"typosquatter"

[Jumunquo]

I didn't know this was a word.

I guess we can thank all the greedy folks at ICANN for the subdomain cash grab that gives typosquatters so many new possiblities.

Re:"typosquatter"

[SEE]

No, this isn't ICANN's doing. .om is the country-code domain for Oman, under the standard policy of using ISO 3166-1 designators, as established by Jon Postel back before ICANN ever existed.

Re:

[jtara]

So, resolve *.om to 0.0.0.0, you say?

Yes

I doubt that most of us will miss being able to visit websites in Oman.

Re:

[ruir]

RPZ policy in BIND, .OM added to backlisting. If someone interested on it, I will give a link to the tutorial I wrote.

Re:

[bug_hunter]

From what I understood from the article, you still have to click something on a webpage, which downloads a file you have to double click on in your file system. So you should still get
"This was a file downloaded from the internet that has no trusted developer certificate - are you sure you want to run it" warning - where you have to update the security level in control panels to let you run it.

For people who only run apps from the App Store (which to be fair, I wouldn't recommend) would not get into this

Oh, typosquatters

[JustAnotherOldGuy]

Oh, typosquatters, I'm always amazed at how much work you're willing to do in the hopes that you'll be able to screw people over.

Re:

[bloodhawk]

really? typosquatting is one of the easiest routes to hijack unsuspecting users. Much better than a phishing email as the user if presented right in the browser will be seeing their banks page asking them to update X or please enter your credentials. typosquatting is the lazy way to get users to your dodgy site.

Re:

[meerling]

Typosquatting isn't done to screw people over, it's done to screw them out of money. The generalized screwing over is just a byproduct of the financial redistribution efforts.

Re:

[toonces33]

Good idea. We should set up a Kicksquatter to try and get this done..

Re:

[Maritz]

Looks like kicksquatterc.om is free...

Its ...

[PPH]

... $current_year and still using Flash.

Re:

[chthon]

Maybe Anonymous should do a campaign against king.com, so that their games do not need Flash any more.

COM?

[Rob MacDonald]

Who the hell types .com? It's 2016 and most modern browsers (anything but IE I suspect) figure out what you mean. google in the address bar is the same as "google.com" and the only time I specify a root is when I want the Canadian site without turning on location.

More to come?

[RogueWarrior65]

Tell me again why the US should give up control of the internet?