A recent look inside a cybercrime operation highlights the difficulties banks face in preventing criminals from imitating their websites and a strategy banks can employ to address these problems.
Security researchers at the cybersecurity consulting firm Hold Security caught a cybercrime group that calls itself Disneyland Team using a number of techniques to make its fraudulent websites look more like those of the banks it has been imitating, including Chase, KeyBank and PNC Bank.
The cybersecurity journalist Brian Krebs first reported
One of the many tactics
Bad actors can exploit Punycode to spoof domains in a more convincing manner. For example, some browsers render
According to Alex Holden, the founder of Hold Security, "it's a very common occurrence" that threat actors use Punycode to make their fake domain names look more like the real thing. Compounding this challenge is how easy it is to purchase domain names.
Anybody can register public domains (such as those that end with .com and .net) in seconds, and usually for no more than $20 per year. While registrants must provide contact information, registrars must verify only a phone number or email address, making them easy to fool.
By contrast, other domains require a greater level of verification. For example, only U.S. government entities may obtain a .gov domain name. While it used to be
Domains that end with .edu work under a similar system. The Department of Commerce only allows institutions accredited with the Department of Education to obtain such domains, but this system
Researchers recently described a scheme that allows affiliates to buy access to phishing materials. The case provides an insight into the methodical nature of some cybercrime.
These processes help promote trust in the authenticity of websites that end with .gov or .edu, and one company is looking to do the same with .bank domains.
Schiff says that credential harvesting websites like those run by Disneyland Team are easy to host under public domain names that look similar to banks' actual domains, for instance those ending in .com or .net. For example, Disneyland Team registered the domain ạmeriprisẹ[.]com to spoof the website for financial planning firm Ameriprise. This attack would not be possible using a URL ending in .bank, he said, because hackers like the Disneyland Team cannot obtain .bank accounts.
The small dots under the a and the last e in that link could easily be confused for a speck of dust, but Punycode also enables even more convincing spoofs. In some browsers, these web addresses encode and render as the Punycode specification calls for. Others like Chrome and Safari display the unencoded address by default, so ạmeriprisẹ[.]com would instead appear as xn--meripris-mx0doj[.]com.
There is an alternative, according to Schiff: Allow banks (and only banks) to register domains that end with .bank. Just as the Department of Commerce ensures that only accredited educational institutions get .edu domains and CISA ensures only U.S. government entities get .gov domains, fTLD has final control over who gets a .bank domain and ensures that only banks can do so.
The Internet Corporation For Assigned Names and Numbers, which coordinates and maintains certain internet systems including all domains,
This solves many of the problems that Punycode and other domain spoofing tactics present, according to Schiff.
"Hackers will continue to register public domains to send phishing emails and to create credential harvesting sites as long as those tactics work," Schiff said. "But, they will never be able to register a .bank domain (lookalike or otherwise) for use in these attacks, nor can they use a bank's real .bank domain against them as our banks must have email authentication in place."
So far, more than 2,200 institutions have registered .bank domains, and more than 745 actively use one. According to Holden, these domains make it easier for consumers to identify and understand when they are on a legitimate banking website, but only with greater adoption can the .bank idea start to stick the way .gov and .edu have.
"These things fail because of a lack of wide acceptance," Holden said. "A vast majority of customers will have trouble adjusting to this. That is the No. 1 issue."
Still, he said, the .bank domain idea is a "novel" one and for many banks a more attractive alternative to trying to register and keep track of every domain that a customer could mistake for the real thing. Plus, it's a solution endorsed by the American Bankers Association, according to Paul Benda, senior vice president of operational risk and cybersecurity for the trade group.
"We are strong supporters of .bank because we believe it can strengthen a bank's cybersecurity and help protect customers," Benda said. "Many banks have already reserved a .bank domain and are considering the right moment to transition from .com to .bank. We think more will make the change moving forward."
