We’ve proven time and again that the effects of current events always extend to the DNS. Just last month, two big banks—the Silicon Valley Bank (SVB) and Credit Suisse—collapsed. Financial experts said more banks may be bound to follow.

WhoisXML API sought to discover how the closure of the two banks and similar recent events are reflected in the DNS. We specifically looked into the cases of SVB, Credit Suisse, Silvergate Capital Corp., Signature Bank, and the First Republic Bank. All of these institutions faced great turmoil just days in-between in March of this year. Our foray into the DNS revealed:

• 1,220 domains containing the strings siliconvalleybank, creditsuisse, silvergatecapital, signaturebank, and firstrepublicbank, 20 of which turned out to be malicious
• 3,902 subdomains containing the strings siliconvalleybank, creditsuisse, silvergatecapital, signaturebank, and firstrepublicbank, three of which turned out to be malware hosts
• 31 domains and one subdomain containing the string bankcollapse
• 278 domains and 420 subdomains containing the string bankalert, 21 and 12 of which, respectively, turned out to be malicious
• 124 domains and 197 subdomains containing the string bankupdate, eight and 23 of which, respectively, turned out to be malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Gauging the Effects of Bank Collapses on the DNS

SVB and Credit Suisse weren’t the first U.S. banks to collapse in March. Silvergate Capital closed shop on 8 March due to the crypto industry downturn. At that time, SVB investors had already begun selling their shares as depositors withdrew their money. Signature Bank followed suit on 12 March when its investors pulled out. Flagstar Bank and New York Community Bancorp, however, bought Signature Bank’s shares. On 19 March, Credit Suisse closed shop after a botched-up deal with UBS Group AG. While First Republic Bank hasn’t shut down per se, it has been affected by large customer withdrawals.

Phishers and other fraudsters are bound to take advantage of each bank’s peculiar situation. That said, we sought to discover if their names have figured in malicious campaigns.

Domains & Subdomains Discovery searches for each of the bank’s names led to the discovery of 1,220 domains and 3,902 subdomains. The table and chart below show the search strings we used and the domain and subdomain volume breakdown.

A bulk WHOIS lookup for the domains containing the banks’ names showed that:

• SVB only owned 21 of the 117 domains that contained its name since they shared svb[.]com’s registrant email address.
• Credit Suisse could only be publicly attributed to 51 of the 816 domains that contained its name based on the registrant organization indicated in their WHOIS records.
• Signature Bank only owned 15 of the 124 domains that contained its name since they shared signatureny[.]com’s registrant email address.

We couldn’t determine how many of the domains containing the names of Silvergate Capital and First Republic Bank were actually owned by the institutions since their WHOIS records were privacy-protected.

Bulk malware checks for the web properties revealed that 23 of them—20 domains and three subdomains to be exact—have already been classified as malicious.

We also looked at the possibility that cybercriminals might jump on the chance to weaponize web properties that contained the string bankcollapse should a financial crisis indeed ensue. So far, we’ve only found 31 domains, a majority of which were registered just this year, and one subdomain.

Unsurprisingly, some of them contained siliconvalleybank or svb, which already closed shop. On the other end of the spectrum, some contained the string deutschebank, which remains in operation and hasn’t shown any sign of collapsing whatsoever.

Apart from fake bank collapse news that could be hosted on the 31 domains we found, other dangerous sites containing dire warnings of impending bank closures could litter the Web in the future. Threat actors could thus take advantage of domains containing the strings bankalert and bankupdate.

We found 278 bankalert- and 124 bankupdate-containing domains to date. Of these, 21 and eight, respectively, turned out to be malicious.

We also uncovered 420 bankalert- and 197 bankupdate-containing subdomains, 12 and 23, respectively, of which have been dubbed malware hosts. The names of Chase Bank, Citibank, and Scotiabank also appeared in some of them.

The recent bank collapses have translated into measurable domain activity, as evidenced by the recent additions of domains containing bankcollapse. We’re bound to see more such web properties crop up as updates continue to unfold and some of them could bring harm to visitors if not closely monitored and classified.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.