New research by Sucuri shows that threat actors are impersonating Google domains via typosquatting as part of payment card-skimming campaigns. Typosquatting is the practice of registering domains that are very similar to the names of famous websites. In this case, threat actors were trying to trick owners of legitimate websites into loading malicious JavaScript code from “google-analytîcs[.]com” instead of the legitimate Google domain “google-analytics[.]com.”
The code was designed to steal payment card details entered by visitors of infected websites. That data was then sent to a server owned by the attackers, which also used a fraudulent Google domain, namely “google[.]ssl[.]lnfo[.]cc.” Luke Teal of Sucuri explained that “website visitors may see a reputable name (like ‘Google’) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature.”
Read more: ‘Google’ Sites Are the Latest Ploy by Card-Skimming Thieves