This story began with an innocuous-looking domain encountered by one of StrongestLayer’s analysts during routine threat-hunting activities focused on zero-day phishing attacks. The domain appeared entirely clean, hosting no malicious code. It was associated with a brand named “Swift Nexus Bank” (swiftnexusbank[.]com). Despite its harmless appearance, certain red flags warranted further investigation. We probed the registrant’s history and unearthed several recently registered domains under their name. Astonishingly, we found multiple other brands, many using identical website templates and contact information (such as Ace Guaranty Bank i.e., aceguarantybnk[.]com).
The above banks do not exist neither in the real world, nor on the world map and all of the contact / location links provided on these websites are loopback urls that redirect to the same page. Another significant red flag is that the contact information provided on all of these websites, forged by the same registrant, is EXACTLY identical to a lot of other shady websites that we found over the internet via a simple search on one of their phone numbers. One example is shown below:
Based on these findings, our team began systematically cataloging these websites, their phone numbers, web page templates, their respective registrants information and other heuristics necessary for identifying similar threats online. This effort led to the identification of various clusters of websites using the same phone numbers and exactly identical website templates. We then determined their registrant information from our threat intelligence database of newly registered domains. Consequently, what started with a single domain culminated in the detection of over 3 million domains worldwide, all having their own legitimate-looking fake brands with some impersonating other major brands, such as Amazon Express Global (amazonexpressglobal[.]com registered on 7 June, 2024) with the majority registered within the last few months. One thing that stood out during the analysis of these domains was that all of them appeared to be AI generated along with most of their webpage content (both text and images).
Moreover, StrongestLayer analysts identified numerous high-activity social media profiles across multiple platforms, such as LinkedIn, actively promoting these phishing sites and attempting to lure individuals into these scams. These profiles appeared legitimate, engaging in positive and friendly interactions with their followers for public relations purposes while simultaneously promoting these fraudulent schemes.
The key takeaway from this story is that successful phishing attacks do not always require the attacker to mimic a known brand. Often, it is more effective for the attacker to create a fictitious brand and entice victims through convincing online posts, social media activity, or simple email campaigns with messages resonating with the target audience.
Given the above scenario, it is imperative that your organization and its personnel are fully equipped to identify deceptive websites, understand the critical indicators to look for, and recognize the importance of avoiding interactions with unfamiliar brands. StrongestLayer’s CyberGuard can make all the difference in the world in this regard.
At the time of publication, these websites are not detected by any security vendor other than StrongestLayer. We’ve given a small sample set of domains below, that were uncovered during this operation. Anyone interested in getting more details in this regard + more samples can contact StrongestLayer for further information.
Safwan Khan & Haris Kamal
StrongestLayer Threat Intelligence