Oman TLD Being Exploited By Typosquatters Pushing Genieo Adware

Websites are being registered on Oman’s top level domain by typosqautters looking to capitalize on mistakes made by Mac users and push Genieo adware. The .om domain is intended to catch out Mac users who type quickly and miss out the c when typing .com website addresses.

Typosquatting is the registration of domain names with transposed or missed letters in an attempt to cash in on traffic intended for other websites. Goole.com being a good example. The site has been registered and uses an Ask Jeeves search bar to provide search engine functions to bad typists. The website has been reported to attract 1000 visitors a day, the vast majority of which have mistyped google.com.

However, in the case of the .om domain the typosquatters have sinister motives. The sites are being used to deliver malware and adware, with the typosquatters appearing to be targeting devices running OS X.

The sites detect the operating system on the device and redirect Windows users to websites where they are bombarded with popup adverts. Mac users are targeted with a fake Adobe Flash update. Downloading the update will install Genieo adware. Genieo adware installs itself as a browser extension on Firefox, Opera, and Chrome and is used to serve ads.

The spate of domain registrations was noticed by security researchers at Endgame, who discovered that over 330 domains had been registered with Oman’s Telecom Regulatory Authority in the past few weeks.

As is common with malicious typosquatters, they have chosen the names of well-known websites that receive large volumes of traffic. Endgame reports that .om sites have been registered for Gmail, Macys, Citibank, and Dell in the past few weeks, along with a host of other well-known brands. The sites appear to have been registered by a number of different typosquatting groups not just one individual. However, a large percentage were found to have been registered by individuals in New Jersey.

A number of different hosting companies have been used, although the site installations are all very similar. Endgame discovered that many of the sites contain vulnerabilities that could allow other parties to hijack the sites. At the present time, it would appear that the typosquatters are only intent on pushing Genieo adware and promote ad networks, although that may not remain the case. With the high number of security vulnerabilities that exist on the sites they could all too easily be hijacked by other individuals and used to deliver malware and ransomware to unsuspecting visitors.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone