Typosquatting hits top-level domain names — enter 'netflix.om'
A new group of bad people (the Internet is filled with them) have found a way to prey on unsuspecting folks who are typo prone. As someone who is habitually not paying attention when banging on the keys, It caught my eye.
It seems that people who accidentally misspell a URL and end it with .om versus .com are being redirected to sites that only exist to serve malware. Sites many of us visit every day have been spoofed, such as Citibank, Dell, Macy's and Gmail. Our testing hasn't seen the issue on the listed sites, but it's always better to be safe than sorry.
According to Endgame:
Our discovery of the malicious netflix.om led us to focus our research on typosquatting via registrations of domains using alternate TLDs. As of March 9, there are 1247 TLDs on the Internet according to the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for handling the overall Internet namespace. This includes commonly seen TLDs like .com, .org, and .gov that are familiar to most Internet users. There are 251 ccTLDs representing nearly every country on Earth (many countries may have more than one ccTLD). Beyond this, since 2013, ICANN began approving hundreds of new TLDs such as .guru, .tech, .florist, and many more. This is a huge set of alternate TLDs which could be abused.
The most interesting set of TLDs for typosquatters are those that are likely to be mistyped. We have seen some research on typosquatting of .co and .cm, the ccTLDs for Colombia and Cameroon, respectively. Similarly, as we discovered with the Netflix example, the ccTLD assigned to the country of Oman, .om, is a prime candidate. Simply drop the "c" in ".com" and you're there. An alternative method we also considered is flipping the "c" and the ".". For example, "google.com" becomes "googlec.om".
People who land on a typosquatted page are faced with a pop-up that suggests they install an update to Adobe Flash, but instead are installing OS X malware known as Genieo, which "entrenches itself on the host by installing itself as an extension on various supported browsers (Chrome, Firefox, and Safari)."
We want to send out a heads-up and also remind everyone to never install any software you didn't specifically ask for.