Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics

SHRUTI DIXIT, JAGADEESWAR RAMANUKOLANU
September 10, 2024 - 7 min read

Introduction 

Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or brands to capitalize on user errors, while brand impersonation involves creating fake online entities that closely mimic a brand’s official presence. The big difference is that typosquatting relies on typographical mistakes, whereas brand impersonation focuses on deceiving users through visual and contextual similarities. These two techniques are closely interconnected and often work in tandem to deceive users, steal information, and/or install malware.

From February 2024 to July 2024, ThreatLabz analyzed typosquatting and brand impersonation activity across over 500 of the most visited domains, examining more than 30,000 lookalike domains, and discovering that over 10,000 were malicious. This blog summarizes our findings, highlighting the trends and tactics used to carry out these phishing campaigns.

Key Takeaways

  • From February 2024 to July 2024, Google accounted for the largest percentage of phishing domains that leveraged typosquatting and brand impersonation. Microsoft and Amazon followed closely behind. Collectively, these three brands accounted for nearly three quarters of all these types of phishing domains.
  • Nearly half of the phishing domains that were discovered used free Let's Encrypt TLS certificates to appear more authentic and avoid web browser warnings.
  • The .com top-level domain (TLD) accounted for a significant amount of the phishing domains with English speakers being a primary target.
  • The Internet Services sector was the most heavily spoofed vertical, followed closely behind by Professional Services and Online Shopping.

Case Studies

The following examples show how threat actors leverage typosquatting and brand impersonation to perpetrate phishing campaigns. These domains were used for malware distribution, credential theft, scams, and malware command-and-control (C2) communication.

Malware distribution 

An example domain discovered by ThreatLabz used for malware distribution was “acrobatbrowser[.]com”, which impersonated the official Adobe website. The domain displayed a fake Adobe page with an embedded iframe window. As soon as the website was loaded, an MSI file (disguised as an Adobe plugin), was downloaded automatically. The MSI file contained the Atera Remote Access Trojan (RAT) providing attackers with remote control over a device and allowing them to steal personal data, spy on user activity, and deploy additional payloads.

The figure below shows the fraudulent domain along with the embedded iframe, and the subsequent MSI file that was downloaded.

Figure 5: Example brand impersonation domain used to distribute the Atera RAT.

Figure 5: Example brand impersonation domain used to distribute the Atera RAT.

Credential theft

ThreatLabz discovered some of the typosquatting domains used for credential theft. The figure below shows the domain named “offlice365[.]com” imitating the legitimate domain office365.com using a character insertion technique. The attacker hosted a fake Office 365 page to trick victims into entering their credentials. If a user entered their credentials, they would be redirected to the real office365.com website after their login information was stolen.

Figure 6: Example typosquatting domain designed to trick users into providing their login credentials for Office 365.

Figure 6: Example typosquatting domain designed to trick users into providing their login credentials for Office 365.

Scams

ThreatLabz discovered instances where scammers targeted users through messaging platforms by impersonating reputable brands. The figure below shows scammers posing as Amazon on WhatsApp and encouraging users to “apply” for a job. By mimicking well-known brands, scammers use these lookalike domains to lure users into sharing personal information.

Figure 7: Scammers impersonating Amazon, making contact via WhatsApp, and encouraging victims to “apply” for a job.

Figure 7: Scammers impersonating Amazon, making contact via WhatsApp, and encouraging victims to “apply” for a job.

C2 communication 

Threat actors often employ typosquatting domains to disguise C2 communication channels. For example, ThreatLabz discovered the domain “onedrivesync[.]com” hosting a TacticalRMM tool, a remote monitoring and management software application that is often leveraged for malicious purposes, as shown in the figure below. This threat actor attempted to evade detection by spoofing Microsoft OneDrive, which is commonly used in corporate environments.

Figure 8: An example Tactical RMM C2 server impersonating Microsoft OneDrive.

Figure 8: An example Tactical RMM C2 server impersonating Microsoft OneDrive.

Conclusion

Typosquatting and brand impersonation are common methods used in phishing attacks, abusing typographical errors entered by users and the trust those users place in well-known brands. These deceptive domains lure users into visiting fraudulent websites, where their personal information can be stolen or their systems compromised. Understanding the current trends and tactics in typosquatting and brand impersonation can help empower users and organizations to better recognize and defend against these phishing techniques.

Zscaler ThreatLabz is dedicated to actively monitoring and blocking these threats, stopping them before they can facilitate phishing attacks and cause harm to customers.

Zscaler Coverage

Zscaler’s multilayered cloud security platform effectively blocks malicious indicators across multiple levels. Additionally, ThreatLabz conducts proactive scans of newly registered domains and swiftly blocks any identified risks.

Figure 9: Zscaler cloud sandbox report

Figure 9: Zscaler cloud sandbox report

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to typosquatting at various levels with the following threat names:

Indicators Of Compromise (IOCs)

  • acrobatbrowser[.]com
  • browserpapernews[.]pages[.]dev
  • googleupdate[.]vip
  • offlice365[.]com
  • whatsapp-web[.]cn
  • googqle[.]com
  • play-store-google[.]com
  • onedrivesync[.]com
  • adobevn[.]pro
  • whatsapp2024[.]ru

In addition to those indicators, we added malicious domains likely belonging to the threat actor to our GitHub repository

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.