The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting
well-known brands. This hive constantly moves around to evade detection. Numerous popular brands are being abused –
can you spot the difference between these scam URLs and the real ones?
Upon further analysis we discovered a connection between those hosts:
- Most of them are hosted on the same IP address, 220.127.116.11.
- They lead to scam survey websites and spam websites.
- They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.
Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site. For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/.
Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:
After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.
Fortunately Websense protects it's users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.
Author: Samana Haider
Leave a reply