Level 66
Content Creator
Malware Hunter
Malicious domains masquerading as Google sites are the latest ploy by payment card-skimming adversaries looking to dupe website visitors.

According to analysts at Sucuri, cybercriminals are using typosquatting (the practice of changing one letter in a trusted site name to use as a malicious URL) to deceive unsuspecting, unobservant victims.

The Sucuri team found a website using the Magento e-commerce platform that had been blacklisted and was experiencing “Dangerous Site” warnings. It turned out that the site had been infected with a credit-card skimmer loading JavaScript from a legitimate-seeming Google Analytics domain. Closer inspection of the purported trusted Google site showed the URL to actually be “google-analytîcs[.]com” — not a Google site at all. Further, once credit-card details are harvested, the data is sent to a remote server. This too uses a fake Google domain: “google[.]ssl[.]lnfo[.]cc.”

“The malicious user purposely selected the domain name with the intention of deceiving [users],” explained Luke Teal, a security analyst at Sucuri, in a Thursday write-up. “Website visitors may see a reputable name (like ‘Google’) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature. This tactic is also common in phishing attacks to trick victims into thinking a phishing page is actually legitimate.”