Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Customized Support Scam Supported by Typo Squatting - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Customized Support Scam Supported by Typo Squatting

This attack got it "all", and shows how hard it can be for a non ISC reader to evade some of these tech support scams. The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page (you noticed the extra letter?).

The content you will get back varies. But here is a screenshot submitted by our reader Daniel:

The user was redirected to warning.netsecurityalerts.com (the site appears down right now), and to bolster the site's credibility, it displays the user's correct ISP (we all know this is an easy whois lookup, but a user confronted with this message is much more likely to fall for it then a recent message).

Calling the 800 number now will lead to a sales system trying to sell you a medial alert button if you are 50 years or older. 

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3608 Posts
ISC Handler
I had a similar one the other day when I typoed a URL. Only in this case it warned that my computer had malware and sounded some kind of audible alert on the sound system. It had a number to call like this one, but I do not think it was to sell me a medical bracelet.....
KBR

63 Posts
Ok, since neither domain is, strictly speaking, serving malware, and thus they aren't listed at malwaredomains.com, where can we get a list of domain names that are purely for hosting social-engineering-enabling garbage like this, so that we can block such sites at a proxy server?
John Hardin

62 Posts
> The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page

Depends on how you count to "one":

... microsoft <L> on <missing-L> ine.com ...

One letter is out-of-place, but two "edits" are necessary to get to the actual Microsoft site.

The scammer's URL is:

... microsoft <L> on <L> ine.com ...

Don't go there! :-)

IE11 -> Tools -> Internet Options -> Security -> Restricted Sites -> type-'microsoftLonline.com' -> Add -> OK
Anonymous
test
Johannes

3608 Posts
ISC Handler
test2
Johannes

3608 Posts
ISC Handler
test gpg
Johannes

3608 Posts
ISC Handler
Heres two more typo squats for you, but no malware as they are mine :)
http://gogle-analytics.com/cgi-bin/awstats.pl
http://gogleapis.com/cgi-bin/awstats.pl

Both are collecting stats on who loads scripts/css from them.
en4rab

1 Posts

Sign Up for Free or Log In to start participating in the conversation!