Wrong Spelling – Brand Name Hijack
It’s somewhat well known that misspelled domains are a method for redirecting users to surveys, pop-ups, and parked websites. These domains are leveraged by advertising networks, and groups who seek to funnel unsuspecting web users aka leads to an advertisement chosen by a publisher on the network. We had reports of users visiting misspelled sites that were attacking users who accidentally visited the incorrectly spelled version of the site with Scareware virus messages – often locking up the machine completely.
During the investigation, we discovered a networked owned by a company that had over 1,000 popular domains with misspellings of major brands. Many of these sites are ending in .com, but also .ne, .cm, .om, things that are easily typed incorrectly. This investigation started off with an individual who visited espn.cm, which I later found triggered connections to several other domains in a complex network designed to funnel users to an advertisement based on geolocation, and language.
We were able to extract the actual log files from the server for 2018 and determined 12 million visitors have arrived at these sites in 3 months, on track for ~50 million-per-year. Plotted a random sampling of 25,000 visitors from the log files in the image up top.
**Update 5/14/18 – Sites are still redirecting to Scareware publishers, locking up machines, and creating audio alerts. See screenshots and video below. Sites will serve up innocuous ads at times, and others will be Fake Alerts or Flash upgrades. Note, the results will vary, and there’s a good chance these sites are looking for ‘unique visitors’. It’s possible that you will have a different outcome based on browser, location, or other factors like language.
Here are some of the sites that are active right now:
..and over 1,000 other brand names found here
Here’s what happens when I visit one of the MediaBreakaway gateway sites, like jetlbue.com, espn.cm, or box.cm:
(An audio message warns me my computer is infected)
(A variety of messages displaying Adware and Fake Tech Support)
Technical Deep Dive
Many of these domains all route back to 1 IP 188.8.131.52, at least for this grouping of gateway sites we found on Virustotal passive DNS. The organization behind this ‘advertising network’ is running campaigns for clients who are pushing PUPs (Potentially Unwanted Programs) over the network, which represents the final ‘hop’ in the sequence to move the user towards the advertisement. VirusTotal Communicating Files shows a piece of software SETUPINST.EXE (42/66 engines) reporting to the IP address that hosts all these sites, and it goes back to at least 3/2015. That file SETUPINST.EXE has detection primary as LiveSoftAction, GetNow, ElDorado, and Multi-tool bar. AbuseIPDB has 2 reports in 2017 of this IP being a malware distribution point. It appears to have a history of distributing adware, potentially unwanted programs for PC, and Android users based on testing. The network is not likely a large scale botnet or malware operation itself, just pushing out adware for sketchy advertisers.
Here are examples of the code on these sites. Note that some domains will appear to have no HTML at times, and others will begin redirecting traffic. Various 2nd tier websites redirect you to the publisher (paying client’s) payload, and we’ve found it can be viral at times, pushing unwanted packages to our test PC, and Android phone. Scareware, FakeAlert, and Fake Tech Support sites among them.
Most sites route via gateway IP/domains that redirect users shown below. My best guess is that all of these typosquatting sites redirect to a newly registered, and random English worded domain. Why? Ad blockers, and research. They can just shut down the catalyst domain if it’s banned, and turn up a new one. This has nothing to do with the last stop, which usually belongs to the publisher, not this network.
Here’s a list of .com domains owned by the same e-mail address Reverse Whois email@example.com.
The connections we found using Virustotal on espn.cm are staggering and have a large complex network of malware sources. We ran the passive DNS on some of the IPs hosting this domain, and there are many very well positioned typo domains hosted. We’ve extracted a handful of the sites to demonstrate the brands being imitated in this campaign. Many of these domains have DNS going back to before 3/2017, so they’ve been active for a long time, still resolving to the same DNS.
A short list of these sites is below, obtained from Virustotal passive DNS:
***Update 5/4/18 – Domains migrated to 184.108.40.206 (Peer 1 Network (USA) Inc.)
***Update 5/4/18 – Domains migrated to 220.127.116.11 (France)
**Update 4/11/18 – Domains migrated to 18.104.22.168 (NedZone Internet BV)
**Update 4/8/18 – Domains migrated to 22.214.171.124 (Peer 1 Network (USA) Inc.)
**Update 4/6/18 – Domains have moved to another 126.96.36.199 (LeaseWeb B.V.)
Original IP from story for all domains was: 188.8.131.52 (1,170 domains)
We also recommend monitoring or banning the following 50 TLDs associated primarily with this kind of activity. In my experience are associated with a surge in malware sites occupying them. I’d recommend at least monitoring the access to those sites, and outright banning others. Bold extensions have been confirmed to have high levels of malware, adware, or be connected to these kinds of advertisers by Virustotal passive DNS.
*.ne, *.cm, *.om
The investigation is ongoing, and we’re hoping that shedding some light on this situation will help the larger community shut it down. I’ve never seen these extensions being used before .cm, .ne, .om, but they are perfect for typo domains. We’d like to see vendors pick this up, as well as other bloggers who can alert security professionals to the issue. I’d recommend blocking those IPs, and domain extensions.