Allure Security Navigation Logo
Caught 19 Phishing Sites

By Salvatore Stolfo

About a week ago, our team at Allure Security was investigating a phishing site targeting one of our banking customers. We had detected several phishing attacks for this bank before, but this one looked different. In almost all of the attacks we’d seen in the past, the attacker tried to create a realistic clone of the target brand’s site. However, in this case the attack site didn’t look much like the real bank site at all. It did use the bank’s logo and their name – but otherwise, the content and formatting were quite different from the real site. 

Seeing something a little different, one of our researchers was doing a full sweep through the site and noticed that on the page with support contact information there was a different bank’s name. That little clue had us thinking that we’d found a template that had been used to target other bank’s clients in the past. So we began digging.

We found some interesting looking items on the site. Names of executives, photographs, addresses and even a bank routing number. We began to search for the same items on other sites using various tools we have at our disposal – and quickly started to uncover additional attack sites that used the same template and content.

So far, we have discovered 19 different attack sites, impersonating 14 real banks, and another 4 completely fake banks. It appears that the phishers here are primarily chasing after new account signups, where they can collect effectively all of a victim’s personal financial information. However, they are also happy to collect credentials (usernames and passwords) from existing banking customers who attempt to login to the spoof sites.

Banking is a Top Target for Fraudsters

It’s no surprise that the phishing nest we found was full of fraudulent bank websites. Banking customers are always a top target for phishers – because that’s where the money is – and almost everyone does some banking online these days. Even before the COVID-19 pandemic – which created a dramatic rise in phishing attacks – researchers published this analysis of Bank of America’s phishing activity, which jumped by 34 percent in 2019. 

Phishing Attacks are Evolving

As I mentioned, an unusual aspect of these 19 phishing sites is that at least four of them are not spoofing any particular bank – in fact, they’re websites for banks that don’t exist. This is a departure from the usual phishing tactic in which the phishers scrape content from a real website and launch a highly convincing fake version with the intent to steal credentials. For most phishing attacks to work, they depend on the brand recognition of a real company. But these sites don’t follow that. Even the ones that used real bank logos, the sites didn’t look like the real banking sites.

Why build sites for banks that don’t exist? And why build spoof sites that don’t look anything like the real brand sites? It’s possible that these phishers were targeting younger banking customers who don’t concern themselves with brand recognition when it comes to banking. For Millennial and Gen Z banking customers, their primary concern is the ability to do all of their banking online. With the emergence of many online-only banks, it’s not unusual for young people to encounter and then do business with a bank they’ve never heard of, as long as it’s easy for them to open an account online. Of course in this case, the banks don’t exist. Victims may think they’ve opened an account, but what they’ve really done is share PII with a fraudster. It’s a sign that phishers are evolving and becoming more sophisticated in who they target –and how they reach them.

Takedown Strategy

Due to the approach the phishers took here, some of the attack sites had been around for quite a while – over a year in a few cases. Typically, phishing sites only last for a few days. They get reported by a victim and then get blocked or shutdown. However, with the fake banks there is no easy way to report them to anyone who will take action. This approach allows the phishers not to dwell on being discovered, and instead focus on attracting more victims with more and more attack sites. It was only when they used a real brand that was protected by Allure Security that their fraud was detected and now the jig is up.

Our team was able to rapidly takedown the sites targeting our customers. We’ve also reached out to the other victim banks to offer to help them get the sites targeting them taken down, and have reported everything to the hosting providers, domain registrars, search engines and endpoint security vendors. But we can’t really take substantial response steps for firms we don’t represent, so some of the attack sites may remain up and operational until those brands take action to protect their clients.

Here are a few of the sites we uncovered. 

Currently, our team is on the lookout for any examples of phishing emails that may have been sent to consumers to lure them to one of these phony sites. If you have some, please send them to us at [email protected]. Also, If you have visited a website that looks suspicious, drop us a line at our Report A Site service, and we will investigate it for you.

Post Date