Phishing attacks continue to post an upward trend. Over the years, phishers have improved their methods, using very convincing domains to bait victims into their schemes.

In fact, a 2019 phishing trends and intelligence report recorded a steady rise in the volume of phishing attacks. It stated that in 2018, for instance, the U.S. phishing activity grew by 40.9%, more than double the 2015 number. Unsurprisingly, 28.9% of these phishing attacks targeted financial institutions.

In this post, we looked at why banking institutions remain a top phishing target. Plus, we explored how they can avoid becoming part of phishing attacks through the use of Domain Reputation API.

Banks Are Still among the Most Favored Phishing Targets, Why?

One primary reason: money. Hackers who can get access to an individual’s banking account or the internal network of a financial institution often “hit the jackpot.”

And cybercriminals do not even need to be that tech-savvy. They can easily connect with groups on the Dark Web to purchase ready-made malware that they can then use for their attacks. Or they can send emails from a typosquatted domain that seems innocent enough to make recipients click on a link enticing them to disclose their passwords (e.g., during a fake request for password reset).

A possible reason for the prevalence of phishing attacks is the widespread availability of free web hosting services. Many financial phishing sites use free web hosts. In the past four years alone, the use of free hosting services steadily increased from 3% in 2015 to 13.8% in 2018. Free hosting allows hackers to set up phishing sites without shelling out any money. Also, they don’t even need to purchase a domain since they can use free subdomains.

Our Investigative Tool: Domain Reputation API

We looked at PhishTank to see if there are valid phishing sites that remain accessible online and stumbled upon https://chase-financial9w[.]com/home/myaccount/index[.]html. Anyone who doesn’t scrutinize URLs before clicking may think this particular link is owned by Chase Bank, one of the biggest banks in the U.S., and so become a phishing victim.

Apart from registering a meager score of 74.58, below the ideal score of 100, the tool also posted several warnings that indicate phishing, such as:

• The domain was registered only two days ago (at the time of writing). Any reputable banking institution has been in the business for years, and so should have a relatively old domain.
• The domain is a verified phishing site on PhishTank.

Companies that wish to protect their employees from phishing attacks can integrate Domain Reputation API into their security solutions. It can block access to sites with low reputation scores and other telltale signs of phishing.

Also, a comparison of the spoofed domain’s WHOIS registration details with those of a domain name actually owned by Chase Bank via WHOIS Search revealed huge differences:

Known phishing domain: https://chase-financial9w[.]com/home/myaccount/index[.]html

Legitimate Chase Bank domain: https://chase-financial[.]com/home/myaccount/index.html

While both domains used HTTPS ( typically a sign of website security) and were registered in the U.S., the fake site’s WHOIS record doesn’t reveal much about its owner. Banks and other reliable companies typically show their contact details. Lack of information can be an evasion tactic. Whatever the reason is, it’s clear that the two sites have different owners.

* * *

Banks and other financial institutions won’t be less targeted by phishers anytime soon. In addition to making customers aware of the various social engineering tactics that phishers employ, solutions like Domain Reputation API and WHOIS Search can help tell a real site from a fake one.