Yes, you have read this right. Brian Krebs published a detailed report on how the ‘.cm’ TLD is being used by typosquatters to hijack traffic. The report mentions that in a couple of months 12 million visits were hijacked, and if you think about this, it actually means that 12 million times there was a chance to infect a device with malware.
In the current observed campaign the users are redirected to random websites that have been picked out by an traffic distribution system that take into account your metadata that your browser sends out.
- Your location
- Your useragent
- Your operating system
- Last visited website
The statistics show that the amount of unique IP addresses is quite high:
January 2018: 2,200,160 unique IPs February 2018: 3,352,032 unique IPs Mar 2018: 3,197,119 unique IPs
What makes this report interesting is the fact that a lot of government institutes and important organs have connected to typosquatted .cm domains:
|Environment||Times visited typosquatted domain||Adult site hits|
|National Aeronautics and Space Administration (JSC, GSFC, JPL, NDC)||104||16|
|Department of Justice||80||7|
|United States House of Representatives||47||17|
|Central Intelligence Agency||6||–|
|United State Army||29||–|
|United States Navy||25||–|
|Environmental Protection Agency-||15||–|
|New York State Court System||4||–|
We recently published an article on safe DNS servers that you can use to navigate the web, some of the DNS servers will protect you against some typosquatted domains.
Thank you for the research Brian Krebs.