A typosquatting campaign targeting U.S. Bancorp was uncovered a few weeks ago, potentially posing a threat to the financial institution and its customers. As of this writing, four domains and their IP resolutions were identified as indicators of compromise (IoCs).

As part of a continuous effort to provide members of the security community with relevant artifacts, we sought to determine if the recent campaign is limited to targeting U.S. Bancorp or involves other financial institutions.

The key findings, which we’ll dive deeper into later on, include:

• 180 newly registered domains (NRDs) containing the string “bank” were registered on the same date as the four IoCs.
• 140 NRDs shared IP addresses with the four IoCs.
• 299 NRDs were dubbed “dangerous” on malware databases.
• 131 recently expired domains were tagged “dangerous” on malware databases.
• 79 domains with serverHold, serverRenewProhibited, serverTransferProhibited, and serverUpdateProhibited statuses were dubbed “dangerous” on malware databases.

The complete list of suspicious and malicious domains identified in this post is available for download on our website.

Are Other Banks Part of the Squatting Campaign?

We compiled lists of domains containing the string “bank” that were registered between 3 October and 3 November 2021. We found more than 10,000 NRDs, including:

• sasbank[.]solutions
• ncbankyy[.]cn
• imgbank[.]vip
• uscitibank[.]site
• bankofamerica-us[.]online

We also found more than 10,000 recently expired domains for the same period, including:

• metrophoenixbank[.]co
• merrickfinancebank[.]co
• washingtonnationalbank[.]com
• ing-bank-activeren[.]com
• lloydscorporatebanking[.]co[.]uk

Findings about the NRDs

We subjected the list of 10,000+ NRDs to a bulk WHOIS lookup and found that 180 shared the creation date of the four domains targeting U.S. Bancorp. Some of them include:

• bankofamerica-us[.]online
• bankoffrance[.]online
• capitalone-banks[.]com
• danske-bank[.]site
• loydsbanksonline[.]com

Our bulk WHOIS lookup findings, however, did not show definitive proof of connections between the original publicized IoCs and the 180 domains containing the string “bank.”

A bulk DNS lookup revealed that 140 of the 10,000 domains shared IP addresses with the U.S. Bancorp IoCs IBM identified. Examples include:

• creditcardsbankswebjpa[.]com
• bankaccountsselectplus[.]com
• loansandcreditsbankswebaus[.]com
• homerefinancesbankusanet[.]com
• personalloansbankswebus[.]com

Using Threat Intelligence Platform (TIP), a subsequent bulk malware check of the 10,000 domains showed that 299 were dubbed “dangerous” on various threat databases. Examples include:

• uscitibank[.]site
• bankofamerica-us[.]online
• bankofamericameta[.]com
• danske-bank[.]xyz

secure-bankofamerica-ii[.]com ## Findings about the Recently Expired Domains

Subjecting the list of recently expired domains to a bulk WHOIS lookup revealed that none of them shared registrant details, which could mean they aren’t related to the threat identified by IBM. The same is true based on our bulk DNS lookup results, which showed that none of the recently expired domains shared IP hosts with the IoCs.

A bulk malware check on TIP showed that 131 of the 10,000+ recently expired domains were tagged “dangerous.” Examples include:

• kentbanking[.]com
• em-rbcroyalbank[.]com
• halifax-banking-secure[.]co[.]uk
• bankofamerica24[.]net
• shinsei-bank[.]net

Can Domain Status Codes Be Indicative of Foul Play?

To check if certain status codes assigned to domains could be indicative of malicious activity, we collated domains containing the string “bank” and created or dropped between 3 October and 3 November 2021. The status breakdown of our collected domain sample was as follows:

• serverHold: 123 NRDs; 328 recently expired domains
• serverRenewProhibited: 152 NRDs; 155 recently expired domains
• serverTransferProhibited: 1,603 NRDs; 73 recently expired domains
• serverUpdateProhibited: 9 NRDs; 38 recently expired domains

Note that each domain can have several statuses at the same time. Bulk WHOIS and DNS lookups showed that none of the NRDs and recently expired domains had ties to the ongoing campaign. None of them shared IP addresses with the four original IoCs either.

A bulk malware check of the 2,120 domains (with the four status codes minus duplicates), however, revealed that 79 of the NRDs and recently expired domains were dubbed “dangerous.” For more information on the various status codes assigned to domains and their meanings, visit our WHOIS Glossary.

Based on the analysis conducted in this post, the use of look-alike domains appears to remain a common way to impersonate banks, as in the case of U.S. Bancorp, and the banking industry as a whole.

Are you interested in doing similar investigations? Do not hesitate to contact us to explore potential research collaborations.