[SCAM ALERT 068] – VDK

SCAM ALERT (14)

VDK bank is a Belgian ethical bank, of which the direct predecessor was founded in the bosom of the active workers’ movement.

During our PreCrime internet scout of November 24th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of VDK.

The Attack

Legitimate site :
vdk[.]be

Malicious domain :
vdks-spaarbank[.]com

This attack shows a brand impersonation attack on the Belgian commercial bank, VDK.

Malicious site

VDK malicious

Legitimate site

VDK legitimate

How does this attack work ?

  • Users may be led to the malicious website through a phishing campaign delivered by the email address [email protected], where they are asked to go to the website and log in to their account. The threat actors will likely attempt to convince users that this is an urgent matter, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply. Due to the very different website layout, coloring and different logos compared to the legitimate site, the threat actors may be attempting to convince victims that this is a new website for the bank, or attempt to convince different users to make a change from their current bank to theirs.

  • When opening the malicious domain, users are directed to the home page as showcased in the images below. The website encourages visitors to switch from their current bank to theirs by also offering new subscribers a free credit card along with 80 euros. Finally, users are also encouraged to download their app, however, the links that supposedly would redirect users towards the app do not work.

Home page :

VDK1VDK2VDK3VDK4

When clicking on register an account, users are asked to fill in personal information including, name, date of birth, phone number, country of origin, current city, home address, zip code, email address, password and name of current bank. See further details in the images below.

VDKA

VDKB
VDKC

When clicking on log in to account, a pop-up window appears that again encourages users to download the app. However, there is no link to redirect users to the app.

2c8ce067-2244-4701-8c04-54a8cb93564a

How do they trick users into believing the attack is real ?

  • The site provides contact details including phone number and email address, which generally provides an extra layer of validity. However, the phone number is German (+49), which is suspicious considering the legitimate bank is solely located in Belgium and their phone number under contact details are very different.

Why is this a threat ?

If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to take control of their bank account and steal their money. Corporations using VDK would also be at risk of their internal network being compromised, if their credentials used at VDK correspond to those they use for work.

Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks. Such attacks could pose serious consequences for the company, including high monetary costs, disrupting business operations, exposure of confidential data and reputational damage.

  • A cyber incident of VDK could ultimately result in the loss of around 264 thousand EUR.

  • Companies connected to VDK could run the risk of a data breach which as of 2022 could result in the loss of around 4,17 million EUR.

  • If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand EUR.

Identification and threat analysis
Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.

Domain

vdks-spaarbank[.]com

vdk[.]be

Registrar

IONOS SE

Telenet BV

Registrant Country

France

Belgium

Domain Age

5 days old

9,583 days old

Certificate

Issued by: DigiCert Inc.

Issued to: vdks-spaarbank[.]com

Domain validated

20-11-2022 → 20-11-2023

Valid for 1 year

Issued by: GlobalSign nv-sa

Issued to: vdk bank NV

Organisation validated

18-09-2022 → 20-10-2023

Valid for over 1 year

Name Servers

ns1111.ui-dns.com

ns1104.ui-dns.org

ns1060.ui-dns.biz

ns1025.ui-dns.de

ns1.cloud.telenet.be

ns2.cloud.telenet.be

ns3.cloud.telenet.be

MX record

mx00.ionos.fr

mx01.ionos.fr

d311655.a.ess.de.barracudanetworks.com

d311655.b.ess.de.barracudanetworks.com

Last seen active

24 November

24 November

IP address

217.160.0.108

35.195.203.124

VTVDK

 

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

  • Always double check the domain name to make sure it is the legitimate one.

  • Never use the same credentials for work and personal accounts.

  • Use different passwords for online banking and shopping sites, for example, so if one of your accounts becomes compromised your other accounts will remain safe.

  • Incorporate Multi Factor Authentication where possible to keep your accounts safe even if the credentials are compromised.

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.