A TypoSquatting Minefield
b00gle is a proof-of-concept tool designed to create a ‘minefield’ of malicious domains based on misspellings of popular Google services.
The executable b00gle.exe initiates up an Apache httpd server which runs continuously in the background, while the system’s hosts file is modified to include the extensive list of malicious domain. The tool relies on the user typing a domain or URL incorrectly – if this search matches one of the malicious domains generated by the executable variations.exe, the victim is redirected to a malicious Google sign-in page locally hosted on the httpd server. The URL displayed to the victim is configured to mimic the URL that is typically observed when signing into Google services, namely a seemingly random assortment of numbers and letters.
Username and password data gathered from the sign-in page is stored in the browser’s cookies. PostMail is used as a framework for exfiltrating data, though can be substituted for other methods according to the attacker’s preference.