The same infrastructure traced back to Russian-speaking threat group Nobelium is being used to set up misspelled domain names, presaging impersonation attacks bent on credential harvesting, analysts say.

Dark Reading Staff, Dark Reading

May 3, 2022

1 Min Read
Source: Panther Media GmbH via Alamy

A typosquatting campaign intended to abuse popular brands is in the works, likely tied to Nobelium, the notorious Russian-state-backed group behind the SolarWinds attacks.

Recorded Future in its latest research is warning that the attackers are using infrastructure similar to that known to be used by Nobelium, to set up their command-and-control (C2) servers. 

This time, the group is preying on users looking online for specific brands who enter common spelling errors or "typos" in the URL. Those misspelled domain names are purchased by threat actors, who stand up spoofed sites to trick people into giving up their credentials, credit-card details, and more. 

"A key factor we have observed from Nobelium operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses)," the Recorded Future team explained in their report. "Domain registrations and typosquats can enable spearphishing campaigns or redirects that pose a threat to victim networks and brands."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights