.cm TLD used by typosquatters to hijack 12million visitors in 4 months

Yes, you have read this right. Brian Krebs published a detailed report on how the ‘.cm’ TLD is being used by typosquatters to hijack traffic. The report mentions that in a couple of months 12 million visits were hijacked, and if you think about this, it actually means that 12 million times there was a chance to infect a device with malware.

In the current observed campaign the users are redirected to random websites that have been picked out by an traffic distribution system that take into account your metadata that your browser sends out.

This includes:

  • Your location
  • Your useragent
  • Your operating system
  • Last visited website

The statistics show that the amount of unique IP addresses is quite high:

January 2018: 2,200,160 unique IPs
February 2018: 3,352,032 unique IPs
Mar 2018: 3,197,119 unique IPs


What makes this report interesting is the fact that a lot of government institutes and important organs have connected to typosquatted .cm domains:

Environment Times visited typosquatted domain Adult site hits
 National Aeronautics and Space Administration (JSC, GSFC, JPL, NDC)  104  16
 Department of Justice  80  7
 United States House of Representatives  47  17
¬†Central Intelligence Agency ¬†6 ¬†–
¬†United State Army ¬†29 ¬†–
¬†United States Navy ¬†25 ¬†–
¬†Environmental Protection Agency- ¬†15 ¬†–
¬†New York State Court System ¬†4 ¬†–
¬†– ¬†– ¬†–


We recently published an article on safe DNS servers that you can use to navigate the web, some of the DNS servers will protect you against some typosquatted domains.

Thank you for the research Brian Krebs.
Share this info: