Be careful when typing URLs

07/18/2012
G DATA Blog

An error while typing the URL of a popular website in the browser can put your local system in danger. Typo-squatting domains are registered by attackers to make use of frequent mistyping errors by internet users. Well known examples from the past are "mircosoft.com" and "goggle.com", where malware was delivered. But most often domain names with frequent spelling errors are used for advertising. The case of facbook.de showed, that it is not easy to tell the difference between Adware and advertising.

A typing mistake when opening a popular website can lead to advertisements or put your local system in danger. Sometimes it is not easy to tell the difference.

In the last two days we noticed that the domain facbook.de has been actively used to distribute bundles of Adobe's Flash Player with browser toolbars that you may not want. The domain was registered in summer 2011 only as a parking domain. It now redirects to domains like "get-browser-update.com" or "get-flashplayer.com", where the original facebook.de site is displayed in an iframe. There you can enter your access credentials and you will be logged in properly. But after a short while the visitor is guided into downloading the latest Flash Player 11.1.

 

After downloading and executing the file, which is digitally signed by NetGenius Ltd., the newest version of Adobe Flash Player is downloaded and installed. But that's not all. If you carefully read before you start the installation you might have a chance to notice that this installation is changing your browser settings. Only in the custom-setup you have the possibility to prevent the installation of additional components by unchecking the box. If you follow the setup without changes your browser ends up with some additional toolbars that you have not asked for. 

 

In this case you get the Babylon Toolbar and if your browser is Mozilla Firefox or Google Chrome the ColorZilla plugin is installed. None of these toolbars is malicious or fraudulent on its own. They are useful addtions to browser functionality. But the covert way how they are installed is why we flag the bundle file and the corresponding websites as dangerous. In order to prevent such hazzle, type your URLs carefully.