Search This Blog

Showing posts with label Typo Squatting. Show all posts

Beware of this Lethal Malware that Employs Typosquatting to Siphon Banking Data


Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites. 

The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity. 

According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.  

But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites. 

Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.  

On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin. 

So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself. That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.

“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site, KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”

Info Stealer Identified in a PyPI Package


GitHub user duxinglin1 has identified three PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' using a malicious dependency, 'request,' 

Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled 'request' dependency, rather than the authentic 'requests' library. CVEs assigned to the susceptible versions include: 

• CVE-2022-30877 - 'keep' version 1.2 contains the backdoor 'request', 
• CVE-2022-30882 - 'pyanxdns' version 0.2 impacted 
• CVE-2022-31313 - 'api-res-py' version 0.1 impacted 

According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with 'pyanxdns' and 'api-res-py' as they are small-scale projects. 

Two years back in 2020, Tencent Onion Anti-Intrusion System unearthed a malicious typosquat 'request' uploaded to the PyPI registry which copied the requests HTTP library but surprisingly dropped malicious info-stealers. 

"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” duxinglin1 explained. The malicious backdoor inside the counterfeit 'request' includes a base64-encoded URL to the ''. 

The file '' is loaded with a Remote Access Trojan (RAT), while 'x.pyx' contains data theft malware that exfiltrates cookies and private data from web browsers like Chrome, Firefox, Yandex, Brave, and others. Subsequently, the hackers with access to user credentials attempt to exploit other accounts employed by the developer, potentially leading to additional supply-chain attacks. 

When Bleeping Computer contacted the developers of each of these packages to identify whether this was due to a simple typographical error, or hijacking of maintainer accounts. The author of 'pyanxdns', Marky Egebäck, confirmed this was a result of a typographical error rather than an account compromise. 

Additionally, it appears that the developers of the other two packages also introduced 'request' rather than the legitimate 'requests' due to an innocent typing error. 

"Sorry to say by a simple typo in the file since git history shows that this was added when the install requires was added by me. This was [an] honest mistake based on a typo in the I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he has promoted this but the purpose was mainly for personal use in [an] internal docker project," stated Egebäck.

US: Fake News and Hike in Malicious Campaigns

'The internet is stacked with fake news sites in the present times,' says the research of Domain Tools, a security analyst company. The company scrutinized some top news sites of the U.S and examined their vulnerability to URL hacking and false domains. The false URLs may advertise misinformation and harmful malware, according to study. “As skepticism of traditional media continues to rise, defending the society from fake news attacks has grown relevant to the constitutional process,” says Corin Imai, a security advisor of DomainTools.

The fake news in recent times has attacked the credibility of news and raised questions concerning professional journalism. In present times, the media coverage is full of falsehoods and misinformation. The majority of the mainstream news sites can be held responsible for spreading fake news among the general public.

Why should one pay attention to fake news sites? 

'It’s no mystery that since recent times fake news campaigns are on a hike,' says Imai. 'The research shows that various top news websites' domain names have been tricked, and are vulnerable to URL hacking.' Honesty and assurance are the pillars of splendid consumer aid expertise. The study by Domain Tools reveals how wicked users do clever tricks like typosquatting and replicating domains as methods to wind up fake news campaigns.

Typosquatting, also called URL hijacking, is a technique that clings on internet users who accidentally type a wrong domain while searching for a news site on a browser. Whereas, spoofing is when a trickster acts as a genuine publisher of a news site. These unlawful actions can result in unauthorized stealing of user data, circulate fake news via spoofing news sites and, download dangerous malware into the user's system.

How to identify misinformation campaigns and stay safe from fake news sites- 

Fake news sites often benefit from user's browsing pace by hogging on their favored source of information. This can lead to data theft or vulnerability to fake news and malware.
Steps to avoid fake news-

• Beware of suspicious or doubtful domain names. Always pay attention to whether the web search is correct.
• Bookmark your preferred news site. This benefit in avoiding typos while searching for a news site.
• Visit the news website directly; avoid clicking on links that lead to news or information.
• Be digitally literate. Stay up to date with the latest trends and technologies happening over the internet.

By following these basic precautions, one can be safe from the risk of fake news.