[SCAM ALERT 054] – Fifth Third Bank

undefined

Fifth Third is one of the largest consumer banks in the Midwestern United States, Fifth Third Bank is incorporated in Ohio.

During our PreCrime internet scout of October 12th 2022 we identified suspicious markers across multiple vectors.

The Attack

Target:

Fifth Third Bank customers

Possible threats:

  • Phishing campaign – luring customers to the site by sending them a message impersonating Fifth Third Bank with a link to the malicious domain.
  • Credential harvesting and financial gain – After luring users to the site, they are asked to login to their Fifth Third Bank account, allowing threat actors to gain access to their account and steal their credentials and money.
  • Malware – by infecting a victims devices with malicious software by using a websites infected by exploit kits.

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating Fifth Third Bank
  • DNS records of malicious domain completely different to Fifth Third Bank
  • Newly registered site – October 11 2022
  • SSL certificate expires after three months
  • MX record indicates domain may be part of a phishing campaign
  • IP address with a lot of malicious activity.

Detection and Threat Analysis

The malicious domain, 53rdinfosec.duckdns[.]org has been targeting Fifth Third Bank (53[.]com), an American bank holding company and one of the largest consumer banks in the Midwestern United States headquartered in Cincinnati, Ohio. The malicious domain was created October 11, 2022 and detected by bfore.ai October 12, 2022.

  • The website content completely duplicates the original website login page. However, on the legitimate domain users are also able to login on the main page in a small pop out window. Additionally, all outgoing links on the malicious domain redirect the user back to the first page, allowing the user to do nothing but ‘login’ to their account. This indicates that the main goal of this threat is to steal user account details.
  • The DNS records are completely different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain is registered under the company name, whereas the malicious one does not provide details of this. Legitimate domains will always publicly show the registrar organisation for validity. See the details below.
  • The domain has registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors may be setting up the domain to be part of a phishing campaign that leads to the malicious domains.
  • The registered SSL certificate expires after three months indicating malicious intent.
  • The IP address has been blacklisted by SPFBL and has many domains resolving to the IP address that are marked as malicious with many recent malicious .EXE communicating files.

DNS Records

Subdomains

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.