All news with #typosquatting tag

⚠️ ESET researchers in Latin America discovered multiple fraudulent websites impersonating FIFA and the World Cup ticketing portal to dupe fans into registering and submitting payment details. These sites use typosquatting, copied visuals, and convincing checkout flows to harvest money and personal data. Victims arrive via ads, sponsored search results, social posts or forwarded links. FIFA confirms tickets are only sold through a few official channels; users should verify domains, avoid pressure tactics, and enable unique passwords and two-factor authentication.

🛡️ Attackers are embedding AI-generated lookalike domains inside legitimate third-party scripts, transforming typosquatting from a user mistake into a browser-runtime threat that traditional controls miss. Firewalls, WAFs, EDR, and CSPs cannot observe what approved scripts do once executed, enabling silent exfiltration as in the Trust Wallet compromise. Effective detection needs runtime behavioral monitoring that traces script actions, network calls, and deviations from established baselines rather than relying on static vetting.

⚠️ OXsecurity identified four malicious npm packages published by account deadcode09284814, including typosquatted modules aimed at Axios users. One package, chalk-tempalte, contains a non-obfuscated clone of the leaked Shai-Hulud infostealer that steals credentials, secrets, and crypto wallet data and exfiltrates it to a known C2. Another package, axois-utils, adds persistent DDoS bot functionality alongside credential theft. Developers should remove affected packages and rotate exposed credentials and API keys immediately.

⚠️Cyber criminals are exploiting World Cup 2026 excitement with fake merchandise stores, fraudulent betting platforms, and phishing domains designed to steal money and personal data. Domain registrations containing 'FIFA' or 'World Cup' surged to 9,741 in April 2026, and host countries recorded higher weekly attack averages in April versus March and the prior year. Check Point Research identified multiple impersonation and betting sites and advises fans to watch for steep discounts, suspicious domains, and 'vote‑to‑earn' schemes that solicit deposits.

⚠️A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter and briefly reached #1, reportedly accumulating 244,000 downloads before removal. HiddenLayer found the repo used a typosquatted name and a loader.py that disabled SSL checks, decoded a base64 URL, and executed a PowerShell chain to deploy a Rust-based infostealer. The malware harvests browser credentials, tokens, wallets, SSH/FTP/VPN files and more, exfiltrating data to a C2 server. Users are urged to reimage affected machines, rotate credentials, and replace wallets and seed phrases.

🔒Researchers uncovered 26 malicious iOS apps, dubbed FakeWallet, impersonating popular cryptocurrency wallets on the Apple App Store since at least fall 2025. The apps, available to users whose Apple accounts are set to China, redirect victims to trojanized wallet builds or phishing pages to capture recovery phrases and private keys. Kaspersky found the campaign uses typosquatting, library injection, OCR modules, and enterprise provisioning to install payloads. Apple removed many of the apps after disclosure.

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

🛡️ Meta said it is suing deceptive advertisers in Brazil, China, and Vietnam, suspending their payment methods, disabling related accounts, and blocking domains used in scams. The company also issued cease-and-desist letters to eight marketing consultants accused of offering ways to evade ad-policy enforcement, including fake 'un-ban' services and renting access to trusted accounts. Meta highlighted targeted celeb‑bait schemes and cloaking tactics, and said its protections now cover more than 500,000 celebrity and public-figure images.

🔍Typosquatting remains a highly effective deception tactic where attackers register look-alike domains to phish, harvest credentials, and deliver malware. CrowdStrike describes how adversaries exploit weak registrar verification and craft convincing WHOIS records while using techniques such as strategic HTTP redirects, geo-targeted content and fake sale pages to evade detection. Organizations should monitor registrations, protect brands, and use Falcon Adversary Intelligence to detect and disrupt campaigns.

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.

🚨 ReliaQuest has uncovered a campaign attributed to the Scattered Lapsus$ Hunters that leverages more than 40 typosquatted domains impersonating Zendesk portals, including deceptive SSO pages designed to harvest credentials. The actors have also been observed submitting fraudulent helpdesk tickets to target support staff, aiming to deploy remote access trojans and other malware. Organizations are advised to enforce MFA with hardware keys, implement IP allowlisting and session timeouts, monitor domains and DNS, and harden chat controls and content filtering to mitigate the risk.

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.

⚠️ A malicious npm package named nodejs-smtp impersonating the popular nodemailer library was discovered to both send mail and inject malware into Electron-based desktop cryptocurrency wallets. When imported, it unpacked and tampered with Atomic Wallet on Windows, replacing vendor files and repackaging the app to silently redirect transactions to attacker-controlled addresses. Socket's researchers prompted npm to remove the package and suspend the account.