April, 2023 - osintafrica

A typosquatting attack is a type of attack where the threat actor mimics a legitimate domain to target the victims. In this type of attack, the threat actor looks for the target domain that he and she want to target and alter the domain. The attack is one of the most successful attacks technics used by the threat actors. The attack is very difficult to detect as most of the users will consider it as a legitimate domain. However, the attack can be detected by implementing some countermeasures.

One of the most used tool to generate a typosquattitng domain is dnstwister | The anti-phishing domain name search engine and DNS monitoring service, the tool can help you generate domains or find the domains that can be used to mimic your domain.

Types of typosquatting:

Combosquatting

The attacker adds a word to the legitimate domain to trick the users to click on it. Example:

The legitimate domain facebook.com will be altered to helps-facebook.com.

Bitsquatting

The attacker changes one or more bits of the legitimate domain to trick the user. Example:

Facebook.com will become fasebook.com

Soundsquatting

The attacker uses the technic calls “Homophones” to trick the user. Example”

Fare.com will become faire.com

Levelsquatting

The attacker uses the legitimate domain, follow by the phishing domain. Example:

Facebook.com will become facebook.com.ghdhwhj.com

Homographing

The attacker uses the technic calls homoglyph by changing one character from the legitimate domain. For example:

Faceboo.com will become fäcebook.com (the “a” changed to ä)

You can use the homoglyph generator to alter any domain you wish (Homoglyph Attack Generator and Punycode Converter (irongeek.com))

Typosquatting detection and protection:

Security awareness and training
User tool like dnstwister | The anti-phishing domain name search engine and DNS monitoring service or Recorded Future: Securing Our World With Intelligence to find the domain mimicking your brand
Block all domains mimicking your brands
Performing DNS lookup to verify the domain owner

In conclusion, the typosquatting is a type of attack that alter the legitimate domain to target the users. The attack is very difficult to detect but by combining different methods and technics, the users can be protected.

Main News

efile.com compromised by threat actor to embed malicious files

Bangaly Koita 2 years ago

The efile[.]com a team of tax professionals and tax software vendors that provide an online platform to efile federal income taxes and state taxes online website has been compromised. The website is redirecting to a malicious domain that is used to download a malicious payload on a victim machine.

Details:

Some malicious files were embedded in the efile.com website redirecting to a maldomain with a malicious payload attach to it used to compromised the victim system.

The threat actors used different types of files and attachments to achieve their goal.

propper.js

https://urlscan.io/responses/63899f4dc894bdf8323e7ec65d608a640d7915b7eea7dd985dd876da0298a4b6/

The popper.js file contains a base64 encoding

popper.js after being decoded

The output is showing the redirecting domain which is infoamanewonliag[.]online

The URL www.infoamanewonliag[.]online/update/index.php is redirecting the final URL

VirusTotal - URL - 85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de

Final URL

https://winwin[.]co[.]th/intro/

The final URL contains some malicious exe files that will be used to compromise the victim host machine:

https://urlscan.io/search/#winwin.co.th

https://winwin[.]co[.]th/intro/update.exe

https://www.virustotal.com/gui/url/85f0f90c55dae3f6e4f50791470491eccebf7529a98f230f33dac32e805291de/details

Hash from URLSCAN 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

https://www.virustotal.com/gui/file/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

index.php and update.js

The index.php file is redirecting to the URL with the attachment update.js

https://urlscan.io/responses/4ffeae430c05f641cb88d2d18131e3f4a3ecdcbc55c159af8998623e5769532a/

The js file contains two URLs with an exe file attached to each and base64 encoding:

https://urlscan.io/responses/ca051090a1105e8ea53a04206c8ddcee4b0d33d4566d2f28549fbf0bbdd34bc8/

As we mentioned in the “popper.js”,

The others URLs with the exe files are redirecting to final URL

https://winwin[.]co[.]th/intro/

The domain winwin[.]co contains some malicious exe files that will be used to compromise the victim host machine:

At the end, we may conclude that the intention of the threat actor is to compromise the infected system by redirecting the victim to different domains in order to download a malfile.

Once the user is redirected to the winwin[.]co website, the malicious exe will be downloaded and compromised the system.

The malicious files are already detectable by many anti-viruses.

If you were in touch with the efile.com during the last few days and was redirecting to any of the files mentioned above, better scan your laptop by using tool like Malwarebytes or others.

Click on the link (VirusTotal - File - 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb) for further details about the exe files.