Gay hookup and cruising web app Sniffies is being impersonated by opportunistic threat actors hoping to target the website’s users with typosquatting domains that push scams and dubious Google Chrome extensions.
In some cases, these illicit domains launch the Apple Music app prompting users to buy a subscription, which in turn would earn threat actors a commission.
Launched in 2018, Sniffies is a web app for gay, bisexual, and bicurious men that shows nearby users “looking” for a good time on a map.
Fat fingering won’t get you to Sniffies
A domain typosquatting campaign targeting users of Sniffies website and app is rampant.
Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains many of which are spelling variations of the brand name Sniffies.
Many of these domains are operated by scammers hoping to catch users who mistype Sniffies.com in a web browser and land on the counterfeit domain instead.
Once accessed, the illicit “Sniffies” copycat domains do one of the following things:
Push the user to install dubious Chrome extensions
Launch the “Music” App on Apple devices right from the web browser
Lead the users to bogus technical “support” scam sites
Lead the users to fake job posting sites
In tests by BleepingComputer, one such typosquatting domain sniiffies.com, for example, was seen performing one of the above tasks at random.
On some visits, it may launch the Apple Music native app prompting the user to subscribe for a monthly fee. This is one way for threat actors to earn an affiliate commission:
On other attempts, we were greeted with prompts to install dubious Google Chrome extensions, like “AdBlock Max – remove invasive ads” and “Movie Database,” among others.
BleepingComputer did observe some ad-blocking code present in AdBlock Max, but to direct users to an ad-blocker via an invasive advert certainly is “highly ironic,” as Daniel Ferguson, a Google Chrome user points out while reviewing the extension on the Web Store.
Moreover, these extensions may come with unwanted features like tracking functionality—we did not review the entire code present in these extensions.
More than 50 domains identified so far
Similar typosquatting campaigns have targeted prominent brands over time. For example, BleepingComputer observed the domain virginatlantc.com, which patrons of Virgin Atlantic may accidentally type, exhibits much of the same behavior as phishing domains identified in this campaign. But, the number of domains targeting Sniffies.com users is rather large.
Kinzie used the open source tool DNSTwist to passively generate permutations of Sniffies.com, and out of the 3531 permutations generated by the tool, 51 represented valid domains that are named after the web app:
“I did a few tutorials on using a tool called DNSTwist to locate typosquatting campaigns,” Kinzie told BleepingComputer.
“When I heard about a new webapp that was becoming popular I tried running the tool on a VERY NSFW website called Sniffies.”
“I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms.”
Sniffies.com is estimated to receive more than 20 million visits every month from users from around the world and has got a rather unique name, which could explain the attackers’ interest in squatting variations of the domain.
To be fair, Google Chrome also has a security warning deterring users from falling for typosquats. For example, heading to bleedingcomputer.com in Chrome has the browser double-checking if you meant BleepingComputer instead. But there are no warnings for all typosquats, including those of Sniffies.com:
When seeking casual encounters online, users are advised to type the name of their go-to website carefully and ensure they are on the real website.
Some typosquatted sites may even go a step further by impersonating the look-and-feel of the real website, which can make them harder to spot with users falling for phishing attacks.
