Wrong Spelling – Brand Name Hijack

It’s well-known in cyber security circles that misspelled domains are a method for redirecting users to surveys, pop-ups, and parked websites. These domains are leveraged by advertising networks through groups that seek to funnel unsuspecting web users with leads to an advertisement chosen by a publisher on the network. We’ve had reports of users who accidentally visited the incorrectly spelled version of a site, and they were attacked with scareware virus messages – often locking up the machine completely.
During the investigation, we discovered a network owned by a company that had over 1,000 popular domains with misspellings of major brands. Many of these sites are ending in .com, but also .ne, .cm, .om, and other endings that are easy to type incorrectly. This investigation started off with an individual who visited espn.cm which, I later found out, triggered connections to several other domains in a complex network designed to funnel users to an advertisement based on their geographical location and language.
We were able to extract the actual log files from the server for 2018, and from it, we determined that 12 million visitors had been directed to these sites in 3 months, on track for ~50 million visitors per year. Based on the log files, we plotted a random sampling of 25,000 visitors in the image up top.
Featured On:
NBC News (Warning: Misspelling that web address can lead to trouble).
Washington Post (How to prevent a typo from making you an identity theft victim)
KrebsOnSecurity (Omitting the “o” in .com Could Be Costly)
KrebsOnSecurity (Dot-cm Typosquatting Sites visited 12M Times So Far in 2018)
**Update 5/14/18 – Sites are still redirecting to scareware publishers, locking up machines, and creating audio alerts. See screenshots and video below. Sites will serve up innocuous ads at times, and others messages will be fake alerts or Flash upgrades. Take note that the results will vary, and there’s a good chance that these sites are looking for “unique visitors.” It’s possible that you will have a different outcome based on your browser, location, or other factors, like language.
Here are some of the sites that are active right now:
abcnews.cm
adobe.om
alibaba.cm
amaozn.cm
android.cm
aol.cm
boocking.cm
box.cm
capitalone.cm
carfax.cm
carmax.cm
cnn.om
coach.cm
comcast.cm
constantcontact.cm
craigslist.cm
delta.cm
directvnow.cm
facebook.cm
flowers.cm
geico.cm
hbo.cm
hrblock.om
hulu.cm
itunes.cm
jcpenny.cm
livenation.cm
lowes.cm
lyft.cm
madiant.com
movie4k.cm
mysalesforce.com
nflshop.cm
nhl.cm
onelogin.cm
onlinewellfargo.com
paychex.cm
qvc.cm
realtor.cm
santanderbank.cm
spotify.cm
spotify.om
starples.com
sunglasshut.cm
uhaul.cm
walmari.com
webmd.cmp
www.opentable.cm
And there are more than 1,000 other fake brand names that aren’t listed here.
Here’s what happens when I visit one of the Media Breakaway gateway sites, like jetlbue.com, espn.cm, or box.cm:
(An audio message warns me my computer is infected)
(A variety of messages displaying Adware and Fake Tech Support)
Technical Deep Dive
Many of these domains all route back to 1 IP 85.25.199.30, at least for this grouping of gateway sites we found on VirusTotal passive DNS. The organization behind this ‘advertising network’ is running campaigns for clients who are pushing PUPs (Potentially Unwanted Programs) over the network, which represent the final “hop” in the sequence to move the user towards the advertisement. VirusTotal Communicating Files shows a piece of software, SETUPINST.EXE (42/66 engines), reporting to the IP address that hosts all of these sites, and it goes back to at least 03/2015. The SETUPINST.EXE file has its detection primarily as LiveSoftAction, GetNow, ElDorado, and Multi-Toolbar. AbuseIPDB had two reports in 2017 that this IP was a malware distribution point. It appears to have a history of distributing adware and potentially unwanted programs for PC and Android users, based on testing. The network is probably not a large-scale botnet or malware operation itself; it just pushes out adware for sketchy advertisers.
Here are examples of the code on these sites. Note that some domains will appear to have no HTML at times, and others will begin redirecting traffic. Various 2nd tier websites redirect you to the publisher (paying client’s) payload, and we’ve even found code that can be viral at times, pushing unwanted packages to our test PC and Android phone. Scareware, fake alerts, and fake tech support sites are seen in the text below.
Most sites route via gateway IP/domains that redirect users, as shown below. My best guess is that all of these typosquatting sites redirect to a newly registered and random English-worded domain. Why? Because ad blockers and research can just shut down the catalyst domain if it’s banned, and turn up a new one. This has nothing to do with the last stop, which usually belongs to the publisher, not this network.
antistrophebail.com (VirusTotal)
Here’s a list of .com domains owned by the same email addresses, Reverse Whois and [email protected].
The connections we found using VirusTotal on espn.cm are staggering and have a large complex network of malware sources. We ran the passive DNS on some of the IPs hosting this domain, and there are many very well-positioned typo domains hosted. We’ve extracted a handful of these sites to demonstrate the brands being imitated in this campaign. Many of these domains have DNS that were created before 03/2017, so they’ve been active for a long time and still resolve to the same DNS.
A short list of these sites is below, obtained from Virustotal passive DNS:
*** Update 11/12/18 – Domains alive and well on Mean Servers network. VirusTotal shows this same IP is serving up Trojan-Dropper.Win32.Agent.fvf a dropper with ‘AV-Killer’ functionality.
***Update 9/24/18 – Domains migrated to 104.219.168.162 (Mean Servers)
***Update 5/4/18 – Domains migrated to 76.74.212.106 (Peer 1 Network (USA) Inc.)
***Update 5/4/18 – Domains migrated to 89.234.183.223 (France)
**Update 4/11/18 – Domains migrated to 37.247.42.100 (NedZone Internet BV)
**Update 4/8/18 – Domains migrated to 76.74.212.106 (Peer 1 Network (USA) Inc.)
**Update 4/6/18 – Domains have moved to another 5.79.121.69 (LeaseWeb B.V.)
Original IP from the story for all domains was: 85.25.199.30 (1,170 domains)
We also recommend monitoring or banning the following 50 TLDs associated primarily with this kind of activity and which, in my experience, are also associated with a surge in malware sites that occupy them. I’d recommend at least monitoring the access to those sites, and outright banning others. Bold extensions have been confirmed to have high levels of malware and/or adware, or to be connected to these kinds of advertisers by VirusTotal passive DNS.
*.ne, *.cm, *.om
*.accountant
*.bid
*.bit
*.cf
*.click
*.club
*.co.vu
*.date
*.download
*.faith
*.ga
*.gdn
*.gq
*.jetzt
*.kim
*.lighting
*.limited
*.limo
*.link
*.loan
*.market
*.men
*.ml
*.party
*.pro
*.pw
*.racing
*.ren
*.review
*.sale
*.science
*.sex
*.site
*.stream
*.stream
*.study
*.su
*.support
*.tk
*.today
*.tools
*.top
*.vip
*.wang
*.webcam
*.win
*.xin
*.xyz
The investigation is ongoing, and we’re hoping that shedding some light on this situation will help the larger community shut it down. I’ve never seen these extensions being used before .cm, .ne, .om, but they are perfect for typo domains. We’d like to see vendors pick this up, as well as other bloggers who can alert security professionals to the issue. I’d recommend blocking those IPs, and domain extensions.
hi. arrived here courtesy of krebsonsecurity. thank you for this article. you might want to sort and dedup the list of TLDs near the end of the post… there’s at least two .win lines. cheers
Sorted that out, thanks for the heads up!