The Sniffies gay hookup and cruise web application is spoofed by opportunistic threat actors who hope to target website users with typosquatting domains that push Google Chrome scams and dubious extensions.

In some cases, these illicit domains launch the Apple Music app tricking users into purchasing a subscription, which would earn threat actors a commission.

Launched in 2018, Sniffies is a web app for gay, bisexual, and bicurious men that shows nearby users “finding” a good time on a map.

Big Fingering Won’t Get You Sniffies

A domain typosquatting campaign targeting users of the Sniffies website and app is widespread.

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains, many of which are variant spellings of the Sniffies brand name.

Many of these domains are operated by scammers hoping to catch users who mistype Sniffies.com into a web browser and land on the fake domain instead.

Once accessed, malicious “Sniffies” impersonator domains perform one of the following actions:

• Trick user into installing dubious Chrome extensions
• Launch “Music” app on Apple devices directly from web browser
• Direct users to fake tech “support” scam sites
• Direct users to fake job boards

In BleepingComputer tests, such a typosquatting domain sniiffies.com, for example, was seen doing one of the above tasks randomly.

On certain visits, it may launch the native Apple Music app prompting the user to subscribe for a monthly fee. It’s a way for threat actors to gain a affiliate commission:

On other attempts, we were greeted with prompts to install questionable Google Chrome extensions, like “Maximum ad blocking – remove invasive ads” and “Movie database“, among others.

BleepingComputer has observed ad blocking code present in AdBlock Max, but directing users to an ad blocker via an invasive ad is certainly “very ironic”, as Google Chrome user Daniel Ferguson points out during the web extension review. Store.

Moreover, these extensions may come with unwanted features such as tracking feature. We have not reviewed all of the code present in these extensions.

Over 50 domains identified so far

Similar typosquatting campaigns have targeted top brands over time. For example, BleepingComputer observed the domain virginatlantc.com, which Virgin Atlantic customers may accidentally type, exhibit much of the same behavior as the phishing domains identified in this campaign. But the number of domains targeting Sniffies.com users is quite large.

Kinzie used the open source tool DNSTwist to passively generate permutations of Sniffies.com, and of the 3531 permutations generated by the tool, 51 represented valid domains named after the web application:

“I did some tutorials on using a tool called DNSTwist to locate typosquatting campaigns,” Kinzie told BleepingComputer.

“When I heard about a new web app that was getting popular, I tried running the tool on a VERY NSFW website called Sniffies.”

“I saw a fair amount of domains registered with the same MX server configured, even though the domains were hosted on random platforms.”

Sniffies.com is estimated to receive more than 20 million visits every month from users around the world and has a rather unique name, which could explain attackers’ interest in squatting variants of the domain.

To be fair, Google Chrome also has a security warning discouraging users from falling for typos. For example, heading towards bleedDingcomputer.com in Chrome, the browser checks if you meant BleepingComputer instead. But there is no warning for all typosquats, including those from Sniffies.com:

When searching for casual dating online, users are advised to carefully type in the name of their referring website and ensure that they are on the real website.

Some typosquatted sites can even go a step further by mimicking the look of the real website, which can make them harder to spot, with users falling prey to phishing attacks.