Watch out - these fake websites advertising Google Meet, Skype, and Zoom are just spreading malware
Another major typosquatting campaign has been spotted
Hackers are, once again, impersonating major tech brands to trick people into downloading malware to their computers, experts have warned.
Cybersecurity researchers from the Zscaler ThreatLabz recently discovered a new campaign, in which unidentified threat actors created countless websites whose URL is almost identical to actual websites belonging to the likes Google, Skype, and Zoom.
This method is also known as “typosquatting”, and relies on the fact that many people won’t spot a “typo” in the URL, and will believe they are on the legitimate site instead of a malicious one.
Sites in Russian
The websites pretend to host video conferencing software, such as Google Meet and the likes. The software offers download links for Windows, Android, and iOS. However, while the iOS link doesn’t do anything malicious (it redirects the users to the actual product), the Android and Windows deliver malware. For Android, it’s nothing more than an APK, but for Windows, it initiates the download of a batch script.
That batch executes a PowerShell script, which downloads and runs one of a few remote access trojans (RAT) spotted in the campaign - Spynote RAT (Android), NjRAT, or DCRat (Windows).
The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves, or simply targeting Russian consumers.
"The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," they added.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The RATs can be used for a wide array of malicious activities, from stealing sensitive information from the devices, to logging keystrokes, and exfiltrating files. The methods of promoting these websites is unknown, but it is safe to assume that there is a phishing campaign active somewhere on the internet, and that the sites are being actively promoted on social media and various online forums.
Via TheHackerNews
More from TechRadar Pro
- This nasty trojan uses Discord as a command and control server
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.