Scammers Ride on Popular Vote411 Voter Info Site to Push Scareware Alerts (Nov 5, 2018)
Following the public promotion of the site "VOTE411[.]org" by comedian John Oliver in the lead-up to the US midterm elections, threat actors have exploited the site's increase in visits by typosquatting the Top-Level Domain (TLD) name to conduct a technical support scam. The threat actors changed the domain name to end with a "[.]com" instead of the official "[.]org" and victims that went to the typosquatted site were given a pop-up image. The pop-up stated their iOS device was infected with "Pegasus" spyware and needed to phone a particular number to pay for a removal process. The typosquatted domain sends the user through multiple redirects and ultimately does not attempt to deliver a malicious binary, but instead leads users to either a text message subscription or enter credit card information to remediate the purported Pegasus infection.
Recommendation: It is crucial to ensure that the website you are accessing is completely spelt correctly and is the correct address (ie is [.]org rather than [.]com). Threat actors exploit the increased popularity of many websites and will create fake domains that can be potentially malicious by making slight changes to the domain name. This means the changes can be overlooked by users, making them vulnerable to exploitation which could either result in being infected with malware/spy, having their credit card information stolen, and others.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.