A case of typosquatting is leading inquisitive surfers to a malicious site when looking for the former Megaupload portal.
According to Chris Boyd, senior threat researcher at GFI Software, a site has been set up at Megaupload.cm aiming to catch out people who want to look at the FBI's warning currently pasted across the front of the genuine website.
Boyd said: “On the basis that Wikipedia hasn't gone dark for a day or covered itself in pictures of Jimmy Wales, we can see that the .cm TLD is intended for domains connected with Cameroon. Registered back in 2009, Megaupload.cm takes you to a site located at surveytakelive.com, which tells us via the method of pop-up box that there are prizes up for grabs and you'll have to fill in some personal information."
This then ultimately leads to a mobile phone promotion, which costs various amounts of cash per day until the user unsubscribes.
“The adverts served are region specific; visiting from the US will result in iPad, Walmart and Visa giftcard offers instead,” Boyd said.
A report by Websense Security Labs in December found nearly 2,000 examples of typosquatting, affecting the websites of major high-street brands such as Argos, John Lewis and Debenhams, with visitors often falling victim to the scam by mistyping web addresses.
Elsewhere, Sophos reported that following Megaupload's takedown, other file-sharing sites have closed down or locked their gates to keep out users with US IP addresses following the FBI takedown last week.
It said Fileserve has stopped filesharing, with users only able to download their own files, while multiple files have been deleted, premium accounts banned and its affiliate programme closed.
VideoBB and Videozer have closed their affiliate programmes, Uploaded.to has blocked US access, and 4Shared is deleting multiple files. Filepost and Hotfile have started suspending accounts with infringing material, while EnterUpload is down.
Sophos also reported that FileSonic now features a red banner on its main page, informing visitors that "all sharing functionality on FileSonic is now disabled. Our service can only be used to upload and retrieve files that you have uploaded personally".