As reported by Threatpost, Security vendor Endgame recently discovered widespread “typosquatting” with the “.om” domain name, in which bad actors attempt to dupe people who mistype common URLs. In this case, more than 300 malicious URLs have latched onto the Country Code Top-Level Domain for Oman, which users might accidentally enter instead of .com” Some examples include samsung.om, delta.om, and netflix.om.
The danger is particularly acute for Mac users, who according to Endgame might be bombarded with pop-ups to update a new version of Adobe Flash Player. While tech-savvy users may recognize this type of attack—or know to stop using Flash Player entirely—users who are follow through on the update prompts may be unknowingly installing adware on their machines. This adware, called Genieo, will then attempt to inject targeted advertising into the user’s web browser.
That’s not to say Windows users aren’t at risk. Visiting one of the affected sites with a Windows machine may redirect users to various scareware, adware, or survey sites, several of which try to coerce users into installing harmful or unnecessary programs. However, Endgame was not able to duplicate the Flash Player update prompt that appears on some sites for Mac users.
We tested several of the sites on Endgame’s master list, and indeed found that some redirected to questionable surveys, untrustworthy streaming video sites, or outright scary warning pages. But in some cases—as with hotelsc.om—the URLs did redirect to the intended location. (Hotels.com seems to have invoked the service of a company that negotiates deals with cybersquatters, though it’s also possible for companies to wage a legal battle or raise a dispute with ICANN.)
Why this matters: Typosquatting is not a new phenomenon, and brands generally do a good job of protecting users against obvious misspellings. The abuse of .om appears to be an anomaly, in which hundreds of popular sites now have bad actors sitting on not-so-unlikely typos. With any luck, the exposure will prompt those sites to take action, but users should be extra careful with their URL spellings in the meantime.