19 May Part 2: Typosquatting
A typosquatting attack involves the attacker creating a library title that is intentionally mistyped, so it differs from the original correct one. Once completed, it’s a waiting game for potential victims to accidentally misspell or type a library name and end up with one that the attacker created for this purpose.
The example that was used previously was published at the end of 2019. Although still quite recent to a certain degree, following further research by ReversingLabs it was discovered that typosquatting is still being used in the wild.
In that example, PyPi was mentioned. Now, there has been a further discovery within RubyGems, similar to the issue which took place with PyPi. It was found that typosquattting was used on 700 libraries which had malicious intent. These were uploaded in February 2020.
It has been mentioned that software developers with windows systems were the apparent targets, those which may have made bitcoin transactions. It was believed that the intention was to steal cryptocurrency and transfer it to a wallet of the attackers’ choice.
Following this discovery, these malicious gems were removed a couple of days later.
Checking every library that gets included into an application may have its difficulties, but the simple step of ensuring that library names have been correctly typed could be the difference between a more secure library, or having a library becoming a potential target for malicious use, which ultimately could cause loss of data, which may have financial or reputational consequences.
Solutions such as library screening and holding repositories internal to your network help lower the risk of potential mistakes.