Endgame exposes malware that punishes poor spelling


A new variation of the well-known typosquatting scam has been spotted by Endgame that attempts to take advantage of folks who forget to include or misplace the letter 'C'.

The security firm Endgame has come across a new campaign utilizing the well-worn method known as typosquatting to spread malware to poor typists who are attempting to visit some of the most popular sites on the web.

Instead of using domains built around the typical misspellings of a company name, such as goggle or yootube, this one goes after people who type or The bad guys are instead registering new top-level domains ending in .om with Internet Corporation for Assigned Names and Numbers.

Endgame researchers have found 334 well-known organizations, like Netflix, YouTube and Walgreens, that have the domain .om, for example, registered to a third party not affiliated with the company in question. What makes this dangerous is they all point to active sites enabling a bad actor to place anything on the site, in this case adware.

Endgame noted that while the malware being distributed right now is relatively benign the ingredients are in place that would allow criminals to cook up something much worse.

“This one is at the top of the list for potentially being a major threat because so many of the major brands are not registered combined with how easy it is to make a mistake makes it dangerous,” Mark Dufresne, Endgame's director of malware research, told

The other fear is instead of placing adware onto a victim's computer the criminals start using this scam to inject ransomware or setup sites designed to steal log in credentials.

The one nasty twist added with this campaign is an attempt to target Mac owners. Dufresne said Windows operators are usually the target of choice for typosquatters.

Dufresne's main recommendation is for companies to boost their mitigation efforts by working with internet service providers to remove the .om domains or to purchase them outright thus heading the bad guys off at the pass.

Dufresne said he is unable to put a dollar sign or quantify the amount of damage done via typosquatting, but Endgame has been able to see that thousands of people so far have fallen victim to misplacing the "C" in .com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.