Websites are being registered on Oman’s top level domain by typosqautters looking to capitalize on mistakes made by Mac users and push Genieo adware. The .om domain is intended to catch out Mac users who type quickly and miss out the c when typing .com website addresses.

Typosquatting is the registration of domain names with transposed or missed letters in an attempt to cash in on traffic intended for other websites. Goole.com being a good example. The site has been registered and uses an Ask Jeeves search bar to provide search engine functions to bad typists. The website has been reported to attract 1000 visitors a day, the vast majority of which have mistyped google.com.

However, in the case of the .om domain the typosquatters have sinister motives. The sites are being used to deliver malware and adware, with the typosquatters appearing to be targeting devices running OS X.

The sites detect the operating system on the device and redirect Windows users to websites where they are bombarded with popup adverts. Mac users are targeted with a fake Adobe Flash update. Downloading the update will install Genieo adware. Genieo adware installs itself as a browser extension on Firefox, Opera, and Chrome and is used to serve ads.

The spate of domain registrations was noticed by security researchers at Endgame, who discovered that over 330 domains had been registered with Oman’s Telecom Regulatory Authority in the past few weeks.

As is common with malicious typosquatters, they have chosen the names of well-known websites that receive large volumes of traffic. Endgame reports that .om sites have been registered for Gmail, Macys, Citibank, and Dell in the past few weeks, along with a host of other well-known brands. The sites appear to have been registered by a number of different typosquatting groups not just one individual. However, a large percentage were found to have been registered by individuals in New Jersey.

A number of different hosting companies have been used, although the site installations are all very similar. Endgame discovered that many of the sites contain vulnerabilities that could allow other parties to hijack the sites. At the present time, it would appear that the typosquatters are only intent on pushing Genieo adware and promote ad networks, although that may not remain the case. With the high number of security vulnerabilities that exist on the sites they could all too easily be hijacked by other individuals and used to deliver malware and ransomware to unsuspecting visitors.