It seems Italy is fast becoming the hub of malware authors. I still remember the nasty days when the Linkoptim also known as Gromozon malware was spreading like wildfire throughout the net. And now typo-squatters have followed the lead of LinkOptim to again plague the Italian surfers. For those unfamiliar with typo-squatting, you can read more about it here. Internet users in Italy are currently under attack by a massive typo-squatting made by malware authors. Some of the URLs used by this attack are listed below.
- 3bay.it
- 4repubblica.it
- aklitalia.it
- corrieere.it
- eba6y.it
- eba7y.it
- fgazzetta.it
- fgoogle.it
- gazzetra.it
- gazzettaa.it
- katsaweb.it
- mnsn.it
- tyiscali.it
- tyttogratis.it
For a full list of URLs used in the attack, download the pdf file here. (Courtesy of Sunbelt-Software.) The page shown below is loaded upon visiting these URLs. 
Here is a babelfish translation of the words on the page. Impossible to find the page demanded In order to visualize the demanded page the modernization of Internet Explorer (direct link to a malware file) is necessary. In alternative, it finds on Extra Search the tried page.
All typo-squatter links listed above leads to the same page. A whois lookup also shows the same results among the URLs.
Status: ACTIVE
Created: 2005-08-24 00:00:00
Last Update: 2007-05-08 16:43:56
Expire Date: 2007-08-24
Registrant
Name: PROLAT
ContactID: PROL20-ITNIC
Address: zip: LV-5400
DE
Created: 2007-03-01 10:27:17
Last Update: 2007-03-01 10:27:17
Admin Contact
Name: Bojarovs Aleksejs
ContactID: BA3396-ITNIC
Address: street: Grodnas 42/72
zip: LV-5400
city: Daugavpils
DE
Created: 2005-06-13 00:00:00
Last Update: 2007-03-01 07:48:12
Technical Contacts
Name: Bojarovs Aleksejs
ContactID: BA3396-ITNIC
Address: street: Grodnas 42/72
zip: LV-5400
city: Daugavpils
DE
Created: 2005-06-13 00:00:00
Last Update: 2007-03-01 07:48:12
Registrar
Organization: FROG
Name: PROLAT-MNT
Nameservers
ns1.metallichosting.com
ns2.metallichosting.com
It also shows that the URLs used in the attack have been in existence since August of 2005.
Typo-squatting is not new; in fact it has existed for a long time now and has also been known to be used by other malwares in the past. Mostly the targets are big companies or websites which are frequented by most internet users like google.com and microsoft.com. Even Trend Micro has been a target of this in the past, I posted a diary entry about this last year.
The malware authors ultimately rely on the user’s carelessness in order to be successful.
So to mitigate, users should be careful how they type. Also for sites that are frequently used, you should just bookmark it so that no typing would be necessary. Microsoft has also released a software called Strider URL Tracer which is made to combat typo-squatting. And last for the security admins, especially for the ones in Italy, you can download the whole list of the URLs used in the recent attack from Sunbelt-Software and block them from your network. This way all users even the careless ones are protected from this attack. This doesn’t give excuse to be careless though. We should always be vigilant and have security on our minds especially when critical data are being handled.
