Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Typo Squatting Charities for Fake Tech Support Schemes SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Typo Squatting Charities for Fake Tech Support Schemes

Joe wrote this weekend that:

A customer called me yesterday to make me aware of their computer that was compromised by one of those scam websites, that pops up an 800 numbers and tells them to call.  Against her knowing better, she STILL called in.... <ugh>.  

The site, I wanted to make you aware of was amvets.COM  She wanted to make a donation, but the real website is amvets.ORG

It is always sad to see how people with good intentions, willing to donate to a deserving cause, are being taken advantage of. So I took a bit time to investigate this particular case. 

First of all: I do NOT recommend you go to the ".com" version of the site above. I didn't see anything outright malicious, other then popups advertising the fake tech support service, but you never know what they are going to send next.

The content returned from the page is very variable. Currently, I am getting "index pages" linking to various "veterans" related pages. Typically these pages are auto-created using key words people used to get to the page, or keywords entered in the search field on the page. So no surprise that this page "knows" it is mistaken for a veteran charity. 

When it does display the "Fake Virus Warning" page, then it does so very convincingly:

- the lok and feel is adapted to match the users OS and browsers
- even on mobile devices, like my iPad, the page emulates the browser used

After a couple of visits to the site, it no longer displayed the virus warning to me, even if I changed systems and IPs. So I am not sure if they ran out of ad impressions or if they time them to only show up so often.

According to Farsight Security's DNS database, 10,000 different hostnames resolve to this one IP address. Most of them look like obvious typo squatting domains:

For example:
www.googele.be, besbuy.ca, wwwhockey.ca.

For some of them, I still get ads for "do nothing ware" like Mackeeper. (looking at the page from a Mac)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3693 Posts
ISC Handler
That is why it is good to spend a little more money and purchase the .com domain when you set up a .org domain. Even better to purchase one or two of the common misspellings that might occur.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!