Typosquatters Targeting Mac Users Who Mistype URLS
Another day, another Mac malware threat to be aware of. The latest threat comes in the form of typosquatters, who are targeting make users who accidentally mistype URLs while browsing the web. According to a post written by Tom Spring on Threatpost, the Kaspersky Lab security news service, users who accidentally type .om (instead of .com) while browsing the web leave themselves open to the threat.
As with most two letter URL suffixes, .om is the top level domain for a foreign country (in this case, Oman of the Middle East). Typosquatters hijack URLs closely related to common brands and sites, with the goal of attacking users who accidentally type the wrong address. In this case, the typosquatters have registered versions of common URLs (Threatpost names Citibank, Dell, Gmail, and Macys) with the .om suffix. According to the post, the typosquatters registered more than 300 different domain names in this vein.
How the Threat Works
Mac OS X users are used to facing fewer virus and malware threats than their PC counterparts. This particular campaign, though, is targeting Mac users specifically. If you are using the OS X operating system and accidentally type one of the registered .om URLs, you will be served with a popup window encouraging you to download an Adobe Flash update. The update, of course, is fake. Instead of installing a Flash update, the installer is for Genieo, an annoying and malicious piece of adware.
The good news is that Genieo is a well-known and usually easy-to-remove piece of malware. The bad news is that, evidently, the servers that are hosting the malicious .om domains are vulnerable themselves. As such, those servers could be breached by new hackers and used to serve more serious malware through the .om domains.
What to Do
So what can you do to dodge this particular Mac OS X malware threat? Your best bet is probably just to avoid typing URLs into the address bar. Use favorites, bookmarks, and auto-fill settings to visit your favorite sites, or navigate using Google or another search engine. If you do type a full URL, just double check your typing to make sure you are visiting a .com instead of a .om. In addition, for the time being, reject any and all Adobe Flash updates that manifest themselves as popups in your browser.