A major typosquatting campaign has been detected exploiting Amazon’s AWS cloud platform to trick people into tech support scams.
After being tipped off by a real computer technician working at a local retail store, Malwarebytes researchers uncovered a “major typosquatting campaign” that started about a month ago.
The campaign is also quite dangerous as the victims are not only “charged” for the “technical support” service they receive, but the scammers often access the victims’ bank accounts and drain them later.
Faking a security issue
Typosquatting is a popular technique among cyber criminals and is based on people making a typo in ignorance or by accident. If a person mistyped a website they want to visit, they would usually see a message that the website does not exist. However, some criminals obtain these mistyped domains and use them to deliver malicious landing pages hosted on AWS.
In this case, unknown threat actors have obtained a Wells Fargo lookalike domain – wellsfargo[.]cm (instead of .com). People visiting this website will get a popup stating that their endpoint contains numerous viruses (opens in new tab) and threats, that it is “locked” for security reasons and that they must call customer service using a phone number on the landing page.
In addition to the risk of talking to the fraudsters on the phone, giving them access to the devices and possibly even bank accounts, there is also the risk that the fraudsters will know people’s phone numbers, which can later be used in identity theft. (opens in new tab) scam.
The best way to protect yourself from such attacks is to make sure you type the addresses correctly and be on the lookout for any security pop-ups that say the device is “locked” and urge the user to act immediately.
While Malwarebytes claims this is a major typosquatting campaign, it lists 10 domains that were recently hijacked, including Amazon, DuckDuckGo, Walmart, and Home Depot. We do not know how many people may have been affected by this attack.