Pity Italy. They just seem to get hammered by the bad guys (this is, after all, the home of Gromozon, one of the nastiest pieces of malware out there).
We have a list of 1,100 Italian typosquatting domains that spawn malware. The names include:
3bay(dot)it
3ebay(dot)it
4ebay(dot)it
aitalia(dot)it
aklitalia(dot)it
alialia(dot)it
aliotalia(dot)it
alirtalia(dot)it
ebaay(dot)it
ebagy(dot)it
ebahy(dot)it
go9ogle(dot)it
goigle(dot)it
goiogle(dot)it
gokogle(dot)it
golgle(dot)it
gologle(dot)it
goo0gle(dot)it
goo9gle(dot)it
goobgle(dot)it
gooble(dot)it
goofgle(dot)it
googble(dot)it
googel(dot)it
googfle(dot)it
You get the picture. You can see a full list here.
When the user goes to any of these sites, they will usually get a message stating that they must upgrade IE:
Translated:
Impossible to find the requested page
To view the requested page, it is necessary to upgrade Internet Explorer (link to fake upgrade — which at the moment doesn’t even work).
Or you can look for the requested page on “Extra Ricerca” or search for it on the Web (fake search form which links directly to malware)
Download Extra Toolbar (link to malware)
One may also get a preview of a video, which requires a “Codec” to view. The “codec” is, of course, malware:
It’s nothing really that new, as these same people were hijacking these same domains a while back: Back then somebody was complaining about it so one of our researchers checked for most possible misspellings of the most popular domains in Italy, and they pretty much all came up with the same pages containing malware.
Then this group stopped for a few months and we were (incorrectly) under the impression that these sites were shut down by authorities, but unfortunately, that’s not the case. Marco Giuliani of PrevX yesterday wrote about them on his blog and it was immediately clear that these (which, by the way, are “hardcore infect-spammers”) are the same people. We believe that these are also the same people or close associates of JohnRuffo(dot)com which sells “italian traffic” (meaning zombies).
Alex Eckelberry
(Credit to Sunbelt researcher Francesco Benedini, with a hat tip to Marco Giuliani))