A large typosquatting campaign has been detected abusing Amazon’s AWS cloud platform to lure people into tech support scams.
After being tipped off by an actual computer technician working at a local shop, researchers at Malwarebytes discovered a “big typosquatting campaign” that started roughly a month ago.
The campaign is quite dangerous, too, as victims are not only “charged” for the “tech support” service they receive, but the scammers often end up accessing the victims’ bank accounts and later drain them out.
Faking a security issue
Typosquatting is a popular technique among cybercriminals, and relies on people making a typo in ignorance or by accident. If a person were to mistype a website they’re looking to visit – they would usually see a message saying the website doesn’t exist. However, some criminals obtain these mistyped domains and use them to plant malicious landing pages hosted on AWS.
In this instance, unknown threat actors obtained a Wells Fargo lookalike domain – wellsfargo[.]cm (instead of .com). People visiting this website will get a popup saying their endpoint has numerous viruses (opens in new tab) and threats, that it’s “locked” for security reasons, and that they should call customer support via a phone number on the landing page.
Besides the risk of talking to the fraudsters on the phone, giving them access to the devices and possibly even bank accounts – there is also the risk of the fraudsters knowing people’s phone numbers, which can later be used in identity theft (opens in new tab) scams.
The best way to protect against such attacks is to make sure you’re typing the addresses correctly and to be suspicious of any security pop-ups saying the device is “locked” and urging the user to act immediately.
While Malwarebytes claims this is a major typosquatting campaign, it listed 10 domains that were recently hijacked, including Amazon, DuckDuckGo, Walmart, and Home Depot. We don’t know how many people might have been affected by this attack.