Hundreds of fake website domains are being used by hackers to mimic some of the most popular banking services in the UK in an attempt to trick victims into handing over personal details and sensitive login credentials, a cybersecurity firm said this week (2 May).
DomainTools, a US company that monitors trends on the internet by analysing IP addresses and Whois records, warned that a quick four-day peek into global web traffic showed a number of top high street UK banks were being targeted in the scheme.
From 27-31 March, researchers monitored financial firms and a selection of US-based retailers and uncovered 324 separate websites posing as services including Barclays, HSBC and Lloyds.
DomainTools found 110 fake HSBC websites, 22 for Lloyds, 74 for Barclays and 66 posing as NatWest.
Web addresses included natwesti[.]com, lloydstbs[.]com and barclaysbank-plc[.]co.uk, standardchartered-bank[.]com and hsbcgrp[.]com.
Upon analysis, the domains were "closely connected" to websites already blacklisted for spam, malware and phishing. For most consumers, this means mainstream web browsers will likely block these automatically.
The hackers are using a tactic known as "cybersquatting", DomainTools said in a blog post. This is when website domains are cheaply purchased and then designed to include brand names, trademarked logos and only slight variations of the proper internet URLs.
No banks were legitimately compromised in the attacks.
The technique is traditionally deployed by cybercriminals to help conduct widespread phishing campaigns to scoop up users' login details and passwords.
However, by redirecting a web user to a fraudulent website it can also be used in pay-per-click ad scams or even drive-by ransomware attacks, the firm warned.
In the retail realm, the DomainTools research team uncovered web addresses impersonating a variety of top US-based retailers including Amazon, Apple, Best Buy, Nike and Walmart. Fake domains included auth-apple-id[.]com and amazonhome[.]club.
"Imitation has long been thought to be the sincerest form of flattery, but not when it comes to domains," said Kyle Wilhoit, senior security researcher at DomainTools.
He continued: "While domain squatters of the past were mostly trying to profit from the domain itself, these days they're often sophisticated cybercriminals using the spoofed domain names for more malicious endeavours.
"Many simply add a letter to a brand name while others will add an entire word such as 'login' to either side of a brand name. Users should remember to carefully inspect every domain they are clicking on or entering in their browser. Also, ensure you are watching redirects.
"Brands can and should start monitoring for fraudulent domain name registrations and defensively register their own typo variants. It is better to lock down typo domains than to leave them available to someone else. This is a relatively cheap insurance policy."
This is a technique famously used by US president Donald Trump, who regularly purchases website domains which are either critical of him or may be needed in the future. In the 18 months leading up to his January 2017 inauguration he bought a selection of 500 new website addresses.
These included DonaldTrumpSucks.com, TrumpIsFired.com and TrumpScam.org.
Top tips for consumers to avoid falling victim to spoofed websites:
• Check for extra added letters in the domain, such as Yahooo[.]com
• Check for dashes in the domain name, such as Domain-tools[.]com
• Look out for ''rn'' disguised as an ''m'', such as modem.com versus modern.com
• Check for reversed letters, such as Domiantools[.]com
• A plural or singular form of the domain, such as Domaintool[.]com