Bitcoin case – How cybercriminals exploit typosquatting

How cyber criminals could exploit typosquatting? The case of MtGox proposed by MalwareBytes, a fake domain used to serve malicious codes.

Typosquatting, also called URL hijacking, is a common form of hacking which relies on mistakes such as typographical errors made by Internet users when typing the website address into the address bar of their browser. Should a user accidentally enter an incorrect website address, they may be led to URLs related to websites managed by cybercriminals.

Criminals could operate substantially with two different techniques to exploit typosquating:

• register domains having URLs similar to legitimate websites belonging to popular brands.
• analyze the topic of interest in a particular period registering domain with URL similar to legitimate website reporting the information of interest.

Let’s wear the clothes of the cyber criminal and try to take advantage of the second scenario, the first topic I have in mind is Bitcoin so let’s verify if it could be a good idea to exploit typosquatting on URL related to websites that propose information on the popular virtual currency. Google Trends is a mine of information and looking at the below graph it is possible to note an increasing interest on the topic confirmed by the number of research on it. This means that a huge quantity of Internet users searches for Bitcoin information and navigate on Bitcon website.

Malwarebytes security firm published an interesting post titled “Typo Trouble in Bitcoin Land” to show how much dangerous could be a typosquatting on the  World’s Largest Bitcoin exchange Mt. Gox.

Looking at the image below it is possible to not that cybercriminals exploited the error made by users typing “mtegox(.)com” instead “mtgox.com”.

The site is managed by cybercriminals, currently it is down, and was a repository of malicious files served to users under the pretense of “This file is needed to do x with your Bitcoins”.

VirusTotal provided a detailed analysis of the malicious domain demonstrating that typosquatting method was used in the specific case by the attackers.

The experts at MalwareBytes discovered that running the malicious file the executable deletes the original file, placing additional hidden folders and files on the infected machine.

“That particular foldername shows up in a couple of sandbox reports and other pieces of analysis, including Malwr, a Joe Sandbox report and Lavasoft with the last two referencing a dayzstreaming website offering up yet more files.”

Malwarebytes Anti-Malware detects the above as Spyware.Zbot.ED, and it is currently pegged at 39/49 on VirusTotal.

The malicious domain is full of other malicious elements a good reason to consider typosquatting a serious menace. A good practice is to be sure to double-check any and all “gox” themed URLs sent your way.

Typosquatting could be effective to arrange phishing campaigns or to serve malicious code such as spyware and Bitcoin miner, good advice is to double check URLs before submit them.

Pierluigi Paganini

(Security Affairs –  Typosquatting, cybercrime)