A financial cybercrime group calling itself the The Disneyland team has widely used visually confusing phishing domains that impersonate popular banking brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
The Disneyland team’s web interface, which allows them to interact with malware victims in real time to phish their login credentials using fake banking websites.
The Disneyland team uses common misspellings for major banking brands in its areas. For example, one domain the gang has been using since March 2022 is ushank[.]com – which was created to phish US Bank customers.
But this group also usually uses Punycode to make their fake banking domains more legitimate. The American financial services company Ameriprise uses the domain ameriprise.com; the Disneyland team domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain]which is displayed in the browser’s URL bar as ạmeriprisẹ[.]com.
Look closely and you will notice small dots under the “a” and the second “e”. You could be forgiven if you mistook one or both of these dots for dust on your computer screen or mobile device.
This candid view of the Disneyland team comes from Alex Holden, founder of Milwaukee-based cybersecurity consulting firm Hold Security. Holden analysts gained access to a web-based control panel that the criminal group uses to track victim credentials (see screenshot above). The panel reveals that the gang operated dozens of Punycode-based phishing domains for most of 2022.
Take a look at the Punycode in this Disneyland team phishing domain: https://login2.xn--mirtesnbd-276drj[.]com, which appears in the browser’s URL bar as login2.ẹmirạtesnbd[.]com, a domain targeting users of Emirates NBD Bank to Dubai.
Here is another domain registered this year by the Disneyland team: https://xn--clientchwb-zxd5678f[.]com, which spoofs the financial advisor login page Charles Schwab with cliẹntșchwab landing page[.]com. Again, note the dots under the letters “e” and “s”. Another of their Punycode domains send potential victims to cliẹrtschwạb[.]com, which combines a trademark misspelling with Punycode.
We see the same dynamic with the Disneyland Team Punycode domain https://singlepoint.xn--bamk-pxb5435b[.]com, which translates to singlepoint.ụșbamk[.]com – again phishing US Bank customers.
What is happening here? Holden says the Disneyland team is Russian-speaking — if not also based in Russia — but it’s not a phishing gang per se. Instead, this group uses fake banking domains in conjunction with malware that is already secretly installed on a victim’s computer.
Holden said Team Disneyland domains were created to help the group steal money from victims infected with a powerful strain of Microsoft Windows-based banking malware known as Gozi 2.0/Ursnif. Gozi specializes in credential harvesting and is primarily used for client-side online banking attacks to facilitate fraudulent bank transfers. Gozi also allows attackers to log into a bank’s website using the victim’s computer.
In years past, scammers like these used “web injectionsto manipulate what Gozi victims see in their web browsers when they visit their bank’s site. These web injections allowed the malware to rewrite the bank’s HTML code on the fly and copy and/or intercept any data users would enter into a web form, such as a username and password. .
However, most web browser manufacturers have spent years adding security protections to block these nefarious activities. As a result, the Disneyland team simply tries to make their domains look as realistic as possible and then steer victims towards interacting with these impostor sites.
“The reason why it is impossible for them to use in-browser injections includes browser and operating system safeguards, and difficulties in handling dynamic pages for banks that require multi-factor authentication,” said Holden said.
In reality, the bank’s fake website overlaid by the Disneyland team malware relays the victim’s browser activity through the real bank’s website, while allowing attackers to forward all login requests bank secondary, such as secret questions or multi-factor authentication challenges.
The Disneyland team included instructions for their users, noting that when the victim enters their login credentials, they see a 10 second spinning wheel and then the message “Waiting for back office approval for your request.” Please do not close this window.
A fake PNC website overlay or “web inject” displaying a message intended to temporarily block the user from accessing their account.
The “SKIP” button in the screenshot above takes the user to the real bank login page, “in case the account isn’t of interest to us,” the manual explains. “Also, this redirect works if none of our operators are working at the time.”
The “TAKE” button in the Disneyland Team Control Panel allows users or affiliates to claim ownership of a specific infected machine or bot, which then prevents other users from interacting with that victim .
In case the connection of the victim (bot) to the control panel of the Disneyland team takes a long time, or if it is necessary to delay a transaction, users can press a button which brings up the message next on the victim’s screen. filter:
“Your Case ID is 875472. An Online Banking Support representative will contact you shortly. Please provide your Case ID and DO NOT close this page.”
The Disneyland user manual explains that the panel can be used to force the victim to log in again if they pass invalid credentials. It also has other options to block victims while their accounts run out. Another fake prompt the panel can produce shows the victim a message saying, “We are currently working on updating our security system. You should be able to log in once the countdown has expired.
The user manual states that this option prevents the user from accessing their account for two hours. “It is possible to block for an hour with this button, in this case they are less frustrated, in the hours that follow the ddos will kill their network.”
Cybercrime groups sometimes launch distributed denial-of-service (DDoS) attacks on the servers of companies they’re trying to steal – which is usually meant to distract victims from their theft, although Holden said he doesn’t It’s not clear if the Disneyland team uses this. tactics too.
For many years, KrebsOnSecurity tracked the day-to-day activities of a similar malware team that used web injections and bots to steal tens of millions of dollars from small and medium-sized businesses across the United States.
At the end of each article, I would conclude by recommending anyone concerned about malware capturing their banking information to seriously consider doing their online banking from a dedicated, secure system that is not used only for this purpose. Of course, the dedicated system approach only works if you still use that dedicated system to manage your online account.
These stories also observed that since the vast majority of malware used in cyber heists is designed to run only on Microsoft Windows computers, it made sense to choose a non-Windows computer for this dedicated banking system, such as a Mac or even a version of Linux. I still stick to this advice.
In case anyone is interested, here (PDF) is a list of all phishing domains currently and previously used by the Disneyland team.
#puny #world #Krebs #Security