How Scammers Phish for Customer Data With Spoofed Banking Sites
The research identifies classic phishing techniques such as cybersquatting or typosquatting.
Tim Helming, director of product management at Seattle-based DomainTools pointed out the financial services industry is highly susceptible to phishing attacks. “Not surprisingly, FinServ domains—or more accurately, the assets and customer information they represent–are a motherlode for hackers.”
DomainTools’ research revealed how high-profile financial institutions are caught up in phishing scams via spoof domains set up by criminals. For example, in just one day, over 180 fake and malicious websites/email addresses were associated with Bank of America and Wells Fargo.
Because phishing is a form of social engineering designed to fool a human victim into taking a specific action, there are certain characteristics that phishing domains often exhibit:
- Typosquatting: often a very close variation on the legitimate brand, created via typos or look-alike characters (called homoglyphs). Some of the typos favored by phishers can be hard to spot.
- Another cybersquatting technique allows the phisher to append another word or words onto the brand name.
Helming explained scammers know the difficulty for an organization to proactively register all the different combinations and permutations that could involve their name. So, the scammers send out phishing emails containing links to pages that look like the financial institution’s login page. “The victim then goes there and types in their credentials and now the bad guy has those credentials and the more sophisticated ones redirect the user to the real bank site so that the user then has an uninterrupted experience and thinks everything’s fine.” Except their username and password are now in the hands of the criminal who will use them later or sell them.
The bigger the firm, the bigger the bullseye on them, so for its research, DomainTools created lists of the largest financial institutions in the U.S. and the UK and used these as its PhishEye queries, which returned lists of domains corresponding to each keyword (brand).
The Top 4 U.S. institutions in the study were Bank of America, Wells Fargo, US Bank and TD Bank. The four most-spoofed European institutions: Blackstone, Blackrock and Deutsche Bank
For all the spoofed banks, the research identified classic phishing techniques such as cybersquatting or typosquatting. Some examples included a domain targeting big four accounting firm Deloitte, listed as [deloitte.cc]; while one that spoofed Deutsche Bank was ‘deutschebankholding[.]com.’ The research also observed wellsfargoalart[.]com, privacy-wellsfargo[.]com, or bankofamerica-com-update-informtion-account-pass[.]com.
“None of us should think that we are unphishable. Instead, exercise caution about any links that come via email, SMS, or ads,” Helming advised. He recommended financial institutions familiarize customers with the feature that many browsers have that expose the URL behind a link.
Helming suggested for members they are not 100% certain a link to a credit union truly came from their credit union to not click it. Instead, navigate to the credit union’s site and take it from there. “People do want to get in the habit of being really wary of clicking on anything that comes through an email.” “Remember the importance of context,” If members initiate action with a credit union and then receive an email from them right afterward confirming or notifying them of the action, it’s less likely that the email is a phish; on the other hand, emails that come “out of the blue” and ask them to follow a link or open an attachment are much less trustworthy.
DomainTools’ PhishEye product, enables organizations to identify existing and new domains that spoof legitimate brand, product, organization, or other names. PhishEye finds existing domains that are variations of a keyword (typically a brand name) and monitors new registrations to find infringing domains as soon as they come into being.
Helming said, “We have essentially the largest database of information about web domain ownership and infrastructure in the world.” He explained there is no central, repository or governing body or that contains all this information. Individual domain registrars and registries hold information for their domains but not for each other’s information.