Disneyland Team, a Russian-speaking financial hacking group was identified using lethal info-stealing malware with confusing typosquatted domains to siphon login data for banking sites.
The malicious campaign was discovered by Alex Holden, the founder of cybersecurity consulting firm Hold Security, and reported on by KrebsOnSecurity.
According to the report, the hacking group specifically targets individuals compromised with a powerful banking malware called Gozi 2.0 (AKA Ursnif), which can siphon the data of internet-linked devices, and install additional malware.
But Gozi is not as powerful as it used to be because search engine designers have launched multiple security measures over the years to nullify the threat of banking malware. But this is where typosquatting plays an important role by designing phishing websites with domain names that are common misspellings of websites.
Take U.S. financial services company Ameriprise for example. Ameriprise employs the domain ameriprise.com. The Disneyland Team's domain for Ameriprise users is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.
On observing carefully, you can make out small dots under the "a" and the second "e," and if you thought them to be specs of dust on your screen, you wouldn’t be the first one to fall for the visually confusing scam. These are not specs, though, but rather Cyrillic letters that the browser renders as Latin.
So, when an individual falls into the trap laid by scammers and visits these bogus bank websites, it gets overlaid with the malware, which forwards anything the victim types into the legitimate bank’s website, while keeping a copy for itself.
That way, when the real bank website returns with a multi-factor authentication (MFA) request, the fake website will request it too, effectively making the MFA useless.
“In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site,” KrebsOnSecurity reported. “These could then copy and/or intercept any data users would enter into a web-based form, such as a username and password. Most Web browser makers, however, have spent years adding security protections to block such nefarious activity.”