.cm TLD used by typosquatters to hijack 12million visitors in 4 months

Yes, you have read this right. Brian Krebs published a detailed report on how the ‘.cm’ TLD is being used by typosquatters to hijack traffic. The report mentions that in a couple of months 12 million visits were hijacked, and if you think about this, it actually means that 12 million times there was a chance to infect a device with malware.

In the current observed campaign the users are redirected to random websites that have been picked out by an traffic distribution system that take into account your metadata that your browser sends out.

This includes:

  • Your location
  • Your useragent
  • Your operating system
  • Last visited website

The statistics show that the amount of unique IP addresses is quite high:

January 2018: 2,200,160 unique IPs
February 2018: 3,352,032 unique IPs
Mar 2018: 3,197,119 unique IPs