Targeting the banks: a case study of the UK financial brand abuse domain landscape

BLOG POST

A recent report by consumer watchdog 'Which?'^[1] highlighted the likely scale of the problem of fraudulent and copycat websites targeting brands in the banking industry. Off the back of this report, we carried out a landscape analysis considering gTLD (i.e. generic extensions such as .com, etc.) domains with names beginning with any of the eight major UK banking brands referenced in the Bank of England’s Resolvability Assessment Framework^[2]. This approach (ignoring domains where brand names appear elsewhere in the domain name, unbranded domain names, and other domain-name extensions) will therefore give an extremely conservative view of the full scale of the problem.

Even just using this very simple approach, significant numbers of live, potentially fraudulent sites and other infringements targeting the banking brands were identified. The findings encompassed a range of 'tiers' of threat severity, from explicit impersonation and phishing, through the promotion of probable non-legitimate financial schemes, to other potentially unauthorised use of branding (complaints sites, informational content, misdirection of web traffic to third-party content, etc.). Even amongst the large number of additional currently-inactive domains, there is a high potential for fraudulent use and/or subsequent 'weaponisation' in scam campaigns. Of additional concern is the fact that some of the high- or intermediate-threat sites have been registered for significant periods of time (up to four years in some cases).

When the analysis is extended to cover 'fuzzy' matches to the brand names (i.e. typos and associated variants), a large number of additional examples of concern were again identified, highlighting the extent of this approach (i.e. the use of confusingly similar deceptive brand variants) by fraudsters, and the importance of using a brand-monitoring tool able to capture these examples.

In light of these findings, it would seem that there is a need for increased regulation and legislation in the domain-name-sales industry, since in many cases there is no legitimate reason why a non-brand-owner should be registering large numbers of domains featuring variants of a trusted and rights-protected brand name.

References

[1] https://www.which.co.uk/policy-and-insight/article/thousands-of-potentially-fraudulent-banking-copycat-websites-reported-in-2023-which-warns-aJtr04Z9MlZ9

[2] https://www.bankofengland.co.uk/financial-stability/resolution/resolvability-assessment-framework/resolvability-assessment-of-major-uk-banks-2022

This article was first published on 29 April 2024 at:

https://www.iamstobbs.com/opinion/targeting-the-banks-a-case-study-of-the-uk-financial-brand-abuse-domain-landscape

* * * * *

WHITE PAPER

A March 2023 report by consumer watchdog 'Which?', in partnership with the DNS Research Foundation, highlighted the extent of the problem of financial fraud and copycat banking websites. Their analysis revealed that more than 2,000 suspected lookalike websites targeting the top UK banking brands were identified in 2023, based on analysis of phishing and fraud blocklists for cases where any of the brand names appear in the URLs of the infringing sites[1,2]. The data is likely to be (potentially significantly) a lower limit for the true number of cases, bearing in mind the focus on branded URLs, the inability to incorporate meaningful analysis of the more generic brand names, and the fact that only sites which are identifiable and sufficiently long-lived to have been included on the blocklists were considered.

As a deeper dive, we consider the landscape of registered domains[3] with names containing any of the eight major UK banking brands[4] as referenced in the Bank of England's Resolvability Assessment Framework[5]. In order to focus on the highest-relevance domains, we consider only domains where the brand name appears at the start of the domain name, and analyse only gTLDs (generic extensions, such as .com, etc.) (for which comprehensive zone-file data is available). Even just this part of the methodology (focusing solely on gTLD domains containing the brand name at the start) will mean that the analysis will very conservatively reflect the overall scale of the infringement landscape.

We firstly exclude any domains which appear to be under the ownership of the official brand owner in question, on the basis of registrant or registrar identifiers explicitly given in the domain registration ('whois') records (where available via an automated look-up). In general, brand owners will maintain a portfolio of both 'core' domains (used in the general day-to-day execution of their business) and 'tactical' domains (comprising defensive and strategic - e.g. intended for future use - registrations).

Following the removal of official domains, a dataset of almost 14,000 (probable) third-party domains was obtained, for the eight banking brands. In order to further focus on those sites most likely to be relevant to the brands in question (and disregard generic, unrelated or third-party uses of the brand names, which include examples such as Lloyds (also a surname), Nationwide (a generic term), and Santander (also a location)), we focus only on those domains featuring banking- or finance-related or other significant keywords in the domain name or in the site content. This filtering yields a set of around 3,200 domains.

The next stage of analysis involves considering only those domains resolving to live website content (i.e. returning an HTTP status code of 200), of which there were just over 2,400. However, the remainder may still be of potential concern, perhaps comprising instances of cybersquatting, or domains intended for activation ('weaponisation') at a later date.

40 of the approximately 2,400 sites were found to resolve or re-direct to what appear to be official websites for the banking brands in question (despite not being registered with official corporate contact details). In some of these cases, the authenticity of the sites was unclear, by virtue of factors such as domain registration via a retail-grade registrar (with examples such as Tucows and GoDaddy appearing in the dataset), highlighting that there may be cases where the brands have not consolidated their official registrations through enterprise-class providers.

Even in cases where the a site was found to re-direct to a domain which is definitively official (e.g. hsbc.com, lloydsbank.com, natwest.com, santander.com, barclays.co.uk, etc.), this does not necessarily mean that the referring site is innocuous. For example, it is a well-established phishing technique to register a deceptive name to be used as the 'from' address in an email campaign, but configure the domain to re-direct to a legitimate official site, so as to provide an appearance of authenticity.

Of the remaining sites, we then focus on the subset presenting the highest potential threat; namely, those featuring highly relevant keywords such as 'bank' or 'login' in their page title. This yielded a high-priority dataset of just over 100 domain names for more detailed analysis.

Concerningly, purely this simple approach allowed us to identify a number of instances of live, potentially fraudulent sites and other infringements targeting the banking brands. The highest-threat tier of findings are those sites which explicitly appear to be impersonating the brand in question (with varying degrees of quality), presumably as part of phishing attempts or other forms of financial fraud campaign (14 examples in the high-priority dataset) (Figure 1).

Figure 1: Examples of high-threat sites apparently impersonating banking brands (SLDs (second-level domain names, i.e. the part of the domain name to the left of the dot): barclaysbk, barclaysvault, lloydsibankgroup, lloydswealthassetmanagement, natwestbankonline, natwestbonds, natwestsantander, hsbcglobalbank)

The next highest (i.e. intermediate threat) level of findings are those sites which appear to be using the brand name in conjunction with finance-related content appearing likely to be non-legitimate, but which seem not to be explicitly impersonating the banking brand in question (12 examples in the high-priority dataset) (Figure 2).

Figure 2: Examples of intermediate-threat sites utilising a banking brand name in conjunction with probable non-legitimate finance-related content (SLDs: lloydsgroups, hsbcapitalfx)

Included amongst the lower-threat findings are some examples of sites making potentially unauthorised use of branding in other contexts (some of which may not be  enforceable), such as complaints sites, informational content, websites promoting their own products or services, or other sites which may be official but are not registered with centralised contact details (Figure 3).

Figure 3: Examples of lower-threat sites making potential unauthorised use of official branding (SLDs: lloydsbankassetfrauds, natwestcon, hsbc-otasuke, santandergpt)

A range of content types was identified within the remainder of the dataset, including instances of third-party content, adult sites, pages offering the domain names for sale, and other placeholder content. Some of these page styles have previously been identified as content types which are typically displayed as 'dummy' content, used to mask more serious infringements which may have their access 'geoblocked', or which are only active at particular times or on particular days^[6].

Amongst the set of 26 'high' and 'intermediate' threat site, it is noteworthy that the registrations are dominated by the use of retail-grade registrars and explicit use of privacy-protection services. The sites encompass a wide range of ages (registered between 08- Jul-2020 (1,365 days old at the time of analysis) and 01-Apr-2024 (2 days old)). The presence of examples at both ends of this spectrum is concerning, because of the longevity of some of the sites and the fact that registration of (new) infringements is ongoing.

We next extend the analysis to consider domains where a fuzzy match to any of the brand names (i.e. instances of (single) replaced, missing, additional or transposed characters) appears at the start of the domain name. These types of typo variants have extensively been noted as being popular with infringers in the creation of deceptive and fraudulent sites^[7,8].

From these broad searches, a set of over 57,000 domain names was returned. From these, we again remove any which are explicitly under the official ownership of the brand in question (634 domains), together with a number of others which are most likely to be non-relevant.

These include:

• all domains featuring a missing- or replacedcharacter variant of 'hsbc' (since these types of variants - such as ‘absc’, ‘sbc’, etc. - are likely to be unrelated to the brand, given the short length of the character string)

• (replaced-character) domains beginning with just 'barclay', 'lloyd' or 'floyd', unless they also feature banking or finance-related keywords, or other features suggesting they may be of concern (e.g. domains where the brand variant comprises the entirety of the SLD name, or where the domains are classified as additional-character variants - e.g. strings such as 'lloydXs', where 'X' is some other character)

This yields a dataset of 3,231 domains of potential relevance. Of these, we then focus only on those resolving to live websites and also featuring relevant keywords either in the domain name or on the page. This gives a candidate set of exactly 500 domains for further analysis.

Of these 500, 21 were found to resolve to high- or intermediate-threat sites, according to the definitions used previously (Figure 4). Further examples may also previously have been live, but subsequently been taken down.

Figure 4: High- or intermediate-threat sites hosted on domain names utilising fuzzy variants of the name of the brand being targeted (SLDs: barlaysb, braclaysonline, barrclaysfedunion, barc-laysfin, hssbcc, hsbkcapital, hsbkc-corporation, hesbc, llyodsgroup, nationswidefund, natlwestmb, netwestfin, natiwest, netwestoffshore, nalwest, santender, satanderonline, satandercredit, satandertrades, santandenow, standardchateredsplc)

We also see instances of shared templates being used for different sites (e.g. the braclaysonline and satandercredit examples shown above), suggesting links between the infringers and/or the use of common phishing-site 'kits'.

Amongst the remainder, there are large numbers of domains resolving to third-party sites (in many cases, comprising potentially legitimate uses of the brand variants in question). A significant proportion also resolve to pay-per-click (PPC) pages, suggesting in these cases that the domain names may have been registered speculatively in an attempt to attract misdirected traffic from mistyped URLs or search queries intended for the banking brands in question, and are monetising the visitors to these sites through the generation of click-through revenue.

Additionally, the closeness of the match to the brand name in question of many of the (currently inactive) domains outside this group of 500 is highly suggestive that they may also be likely to have been registered for future fraudulent use. The numbers of concerning findings identified through these simple searches provides an additional illustration of the likely scale of the fraud problem targeting financial brands. This is particularly true given that we have only considered gTLD domains where the brand name (or variant) appears at the start, and does not even consider infringing sites hosted on non-brand specific and/or other compromised domain names. The findings highlight the importance of brand owners employing comprehensive programmes of brand protection and domain-name management, which are able to address brand variants as well as exact matches, over as wide a range of domain extensions as possible, and also incorporating coverage of general Internet content and phishing data from other sources. Such programmes need to encompass monitoring, prioritisation and analysis of findings, and rapid enforcement against damaging content.

This view of the landscape also raises wider questions about the state of the domain industry and the potential need for more stringent regulation and legislation. The initial article by Which? suggests a push to force domain registrars to do more to prevent these scams appearing in the first place. It might be appropriate to set the bar for 'infringement' at rather a lower level than currently; the suggestion has been made that there is no legitimate reason why a non-brand owner should be registering large numbers of domains featuring variants of a trusted and rights-protected brand name^[9,10] - this type of activity potentially could and should be stopped by registrars at the point of attempted registration.

References

[1] https://www.which.co.uk/policy-and-insight/article/thousands-of-potentially-fraudulent-banking-copycat-websites-reported-in-2023-which-warns-aJtr04Z9MlZ9

[2] https://www.techradar.com/pro/security/beware-the-number-of-potentially-fraudulent-banking-copycat-websites-is-on-the-rise

[3] Based on analysis carried out on 03-Apr-2024

[4] The monitored strings are: barclays, hsbc, lloyds, nationwide, natwest, santander, standard(-)chartered, and virgin(-)money. '(-)' denotes an optional hyphen.

[5] https://www.bankofengland.co.uk/financial-stability/resolution/resolvability-assessment-framework/resolvability-assessment-of-major-uk-banks-2022

[6] https://circleid.com/posts/20220531-do-you-see-what-i-see-geotargeting-in-brand-infringements

[7] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[8] https://www.iamstobbs.com/idns-ebook

[9] https://dnsrf.org/news/dnsrf-collaborates-with-uk-consumer-champion-which--to-reveal-the-extent-of-uk-banking-scams-/index.html

[10] J. Williams, XConnect (pers. comm., 02-Apr-2024)

This article was first published as an e-book on 29 April 2024 at:

https://www.iamstobbs.com/targeting-the-banks-ebook

Tracking the tracker: a case study of profiling a scam website

by David Barnett, Tom Ambridge and Bryan Cheah

BLOG POST

In Q1 2024, Stobbs investigated a large-scale scam campaign, utilising large numbers (potentially several thousands) of fake websites impersonating a large number of well-known brands. The scam was found to be associated with a central fake shipping tracking website, which was investigated in detail in partnership with a number of targeted brand owners, as part of a referral to law enforcement.

The scam site was found to host over 900,000 individual, victim-specific pages, requesting that the recipient makes payment for delivery of their item. Across the duration of the campaign - which has been active for over three years - the site has been used to attempt to steal almost $77 million. Assuming a success rate of between 0.1% and 1% for a typical phishing scam, this single site may have generated between $77,000 and $770,000 for the fraudsters.

It has also proved possible to extract the distinct contact e-mail addresses utilised by the fraudsters on the individual pages of the site. In total, 485 unique addresses were used, utilising a mixture of webmail providers and other host domains. The most frequently used address was utilised on over 195,000 pages on the website, and the 'longest-lived' e-mail address began utilisation in August 2022, and was still in use at the time of analysis. In general, multiple e-mail addresses were in use at any given time.

This article was first published on 24 April 2024 at:

https://www.iamstobbs.com/opinion/tracking-the-tracker-a-case-study-of-profiling-a-scam-website

* * * * *

WHITE PAPER

Introduction

In Q1 2024, Stobbs investigated a large-scale scam campaign, which utilised large numbers (potentially several thousands) of fake websites impersonating a large number of well-known brands. The scam was found primarily to be targeting brands in the consumer goods industries, and made use of domains featuring the name of the targeted brand, usually together with a country name (in English or local language), and also sharing other registration and hosting characteristics.

As part of the investigation, involving a partnership with a number of brand customers as part of a referral to law enforcement, the campaign was found also to be associated with a central fake shipping tracking website (anonymised in this study as ***track.com) hosting a large number of victim-specific scam pages soliciting for payments (Figure 1). Test purchases revealed that, following the placing of an order from any of the initial lookalike websites, the customer was sent an email containing a link to the scam site, purportedly as a means of 'tracking' their delivery. Further in-depth investigation also revealed the use of a second related site (tracking***.com).

Figure 1: Example of a user-specific page on the scam tracking website

The URL of each scam page on the initial identified site included a string of digits, identical to the purported 'tracking number' displayed on the page, giving a URL of the form: https://***track.com/pid/xxxxxxx. Further analysis showed that modification of the string of digits produced URLs resolving to additional pages hosted on the same site. An initial check of 100 consecutive ID-numbers, surrounding the example identified initially (ID-number 13437xx), showed that 35 (i.e. 35%) of the associated URLs generated live scam pages, displaying requested payment amounts of between $9.99 and $207.72.

The inactive ID-numbers generated a page displaying the message "we could not find the order, maybe you have used the different email address?" [sic].

Analysis

In order to gain an overview of the potential scale (in terms of end-to-end time-window and total financial impact) of the scam, we carried out a further analysis of the range of content available, by varying the string of digits at the end of the URL.

Table 1 shows the dates on which each 100,000th ID-number (or the first subsequent example corresponding to an active scam page) appears to have been used, based on the 'date of payment' shown on the page - noting that the ID-numbers appear to have been used in ascending order over time.

ID-number	Date	Amount requested on page (US$)	Days since previous 100,000th ID-number
1	21-Jan-2021	100.00	-
100000	25-Oct-2021	125.98	277
200002	16-Dec-2021	10.00	52
300000	25-Feb-2022	68.52	71
400000	18-Mar-2022	34.99	21
500000	02-Apr-2022	43.00	15
600000	15-Apr-2022	34.95	13
700000	30-Sep-2022	100.00	168
800000	20-Nov-2022	119.85	51
900000	29-Mar-2023	69.00	129
1000002	13-Aug-2023	115.00	137
1100000	05-Sep-2023	90.00	23
1200000	18-Oct-2023	12.50	43
1300007	12-Jan-2024	72.50	86
1400010	23-Feb-2024	50.00	42

Table 1: Data for the first active scam page in each block of 100,000 ID-numbers

As of the date of initial analysis (15-Mar-2024), the scam was still ongoing, with ID-number 1447000 used on that date. It is also noteworthy that the style of the pages changed slightly over time; many of the earliest examples included no personal or contact details, whereas the later ones referenced named recipients and included a contact telephone number and e-mail address.

As a deeper dive, we next considered the set of all 100,000 candidate URLs with ID-numbers between 1300000 and 1399999 (the '13xxxxx' block). This block of ID-numbers covered a six-week period between 12-Jan-2024 and 23-Feb-2024. Within this block of URLs, 31,646 (of the 100,000, i.e. 31.6%) were found to resolve to active scam pages, with an average of 745 pages utilised each day (Figure 2). The currency was requested in US$ in all but four cases (which instead used GBP). The average amount requested per page was US$59.50, meaning that a total of US$1.88 million was requested through the scam site over the six-week period (i.e. US$44,000 per day) (Figure 3).

Figure 2: Daily numbers of active pages utilised on the scam site during the six-week period covering the block of 13xxxxx ID-numbers

Figure 3: Daily total amounts of payment requested through the scam site during the six-week period covering the block of 13xxxxx ID-numbers

It is also informative to compare these statistics with those for the 5xxxxx block of ID-numbers, which covered the shortest time duration of any 100,000 block (just 13 days). One possible explanation for the shorter duration of this block would be if a smaller proportion of the ID-numbers within the range were used for active scams, but the analysis shows this is not the case. Rather, actually a larger proportion (69,963, or 70.0%) were associated with active pages, showing that this period exhibited a significantly higher rate of scam activity. At this time, the scam appears to have been targeting a wider geographical range of victims (with 64,937 of the pages requesting amounts expressed in US$, 3,500 in EUR, and the remainder in five additional currencies (AUD, GBP, NZD, CAD and DKK). Over this period, on average 5,700 active scam pages were utilised per day, requesting an average (with all amounts converted to US$) of US$93.55 per instance. The average total amount requested per day was over US$530,000, or a total of over US$6.5 million over the 13-day period.

For additional comparison purposes, we also consider the first block of 100,000 ID-numbers (referred to as the '0xxxxx' block, although in practice the URLs do not incorporate leading zeroes in the ID-number string), which actually covers the longest duration (around 9 months) of any block. Within this block, 72,569 (72.6%) of the ID-numbers were found to be associated with active scam pages (262 pages per day), requesting an average of US$78.73 each (i.e. over US$20,000 per day, or US$5.7 million over the period). Across the duration of usage of this block, significant variability in activity levels was identified (Figure 4).

Figure 4: Daily total amounts of payment requested through the scam site during the nine-month period covering the block of 0xxxxx ID-numbers

More generally, patterns of usage of the site have changed significantly over its full period of activity. Figure 5 shows heat maps representing the total numbers of active scam pages in each 'sub-block' of 50 adjacent ID-numbers, for the three blocks of 100,000 considered in this first part of the study (with darker shades of red denoting that a greater proportion of the ID-numbers in each sub-block were utilised for active scam pages). The high-level trends are that, earlier in the campaign: (a) a greater proportion of the available ID-numbers were being utilised (shown by the fact that the top and middle figures appear darker overall than the bottom one); and (b) there was a greater degree of variability in the extent of use of the available ID-numbers over time (shown by the marked alternation between dark and light areas in the top figure).

Figure 5: Heat maps showing the total numbers of active scam pages in each 'sub- block' of 50 adjacent ID-numbers (with darker shades indicating greater utilisation of the available set of ID-numbers), for the 0xxxxx (top), 5xxxxx (middle) and 13xxxxx (bottom) blocks of 100,000 ID-numbers

In order to produce an initial estimate of the total scale of the scam, based on this sampling exercise, we might extrapolate the numbers presented above to assume that, across the full duration of utilisation of the site, approximately 50% of the possible available ID-numbers were utilised for active scam pages, requesting an average of $50 per instance (potentially both somewhat conservative estimates). On this basis we would determine that, since January 2021, the site has been used to attempt to steal 1.4 million (the ID-number range covered to date) × 50% × US$50 = approximately US$35 million.

Instead, it is also possible to carry out a full formal analysis, inspecting all possible 1.5 million ID-numbers used to-date (requiring a longer run time for the automated analysis tool). The overall findings from this piece of research are shown in Figures 6 and 7.

Figure 6: Daily numbers of active pages utilised on the scam site during the full duration of its period of use (vertical lines show the boundaries between the blocks of 100,000 ID-numbers)

Figure 7: Daily mean payment requested per individual scam page, during the full duration of the period of use of the scam site

Overall, 900,640 active scam pages were identified (out of a range of 1,465,505 - the final ID-number to have been used on the date on which this second stage of analysis was carried out (25-Mar-2024) - i.e. 61.5%). The average amount of payment requested per page was in fact US$85.33, or a total of US$76,848,200. Amongst the other trends noted are the facts that: (a) there tends to be a drop-off in daily activity following the transition from one block of 100,000 ID-numbers to the next, in many cases; and (b) there was a large spike in requested payment on 15-Sep-2022, a date on which there were a significant number of pages requesting very large amounts of money in each individual instance (up to US$20,004 in one case), with an average per page for that day of $3,698.31, or a daily total of $5,699,098.22).

The full version of the utilisation heat map (of which extracts were shown in Figure 5) is shown in Figure 8.

Figure 8: Heat map showing the total numbers of active scam pages in each 'sub-block' of 50 adjacent ID-numbers (with darker shades indicating greater utilisation of the available set of ID-numbers), for the full range of of utilised ID-numbers (thicker lines show the boundaries between the blocks of 100,000 ID-numbers)

As the next phase of the deep dive (and to provide information to accompany the referral to law enforcement), we ran an analysis of all 900,640 active scam pages, to extract the contact e-mail address given in each case. This analysis required a more sophisticated approach than that used to extract the payment amount shown on each page (which appeared in plain text in the HTML), as the e-mail addresses were dynamically generated in each case using a Javascript function intended to prevent automated scraping. Accordingly, it was necessary to use a more technical approach involving explicit inspection of webpage elements.

The obvious assumption is that each e-mail address is under the direct control of the scammers, since this represents one of their primary means of being able to receive communications from the victims of the scam. However, many of the e-mail addresses use what appear to be wholely unrelated usernames or host domains, suggesting that they may in these cases be associated with compromised domains, or even just have been given as 'dummy' contact details. However, it does seem reasonable to assume that at least those e-mail addresses used most frequently across the duration of the scam campaign are likely to directly pertain to the underlying fraudsters.

In total, 485 unique e-mail addresses were found to have been utilised on the pages of the scam site. In total 2,290 of the pages did not give any contact e-mail address, mostly in the early phases of the campaign, between January 2021 and February 2022. The e-mail addresses used a mixture of webmail providers and third-party host domains (Table 2).

Host domain	No. of instances
gmail.com	185
hotmail.com	11
icloud.com	7
protonmail.com	6
outlook.com	6
yahoo.com	6
proton.me	4
kerdxcorp.[TLD]	4
aussieblueterpenes.[TLD]	3
mail.com	3
multiqulo.[TLD]	2
snifffr.[TLD]	2
pm.me	2
emailfashionhypexyz.[TLD]	2
babylonsciences.[TLD]	2
globalpaymentgroup.[TLD]	2
naturecan.[TLD]	2
aol.com	2
securetranz.[TLD]	2
lakime.[TLD]	2
vapelab.[TLD]	2
vapeyou.[TLD]	2
mrnino.TLD]	2
wholeearthgifts.[TLD]	2

Table 2: All host domains (obfuscated in some cases) used more than once in the set of 485 distinct contact e-mail addresses used on the scam site

E-mail address	No. of times utilised
c***@my-ordersupport.[TLD]	195,030
b***@gmail.com	98,741
k***@gmail.com	41,977
s***@kaylahost.[TLD]	34,604
s***@cratesoftwarehouse.[TLD]	34,430
g***@gmail.com	31,052
m***@gmail.com	25,036
s***@gmail.com	24,671
d***@gmail.com	18,872
s***@snifffr.[TLD]	18,130

Table 3: The top ten most frequently used individual e-mail addresses (obfuscated), across the full duration of the scam

Figure 9 shows a 'timeline' view of when (i.e. in which month) each of the top 80 most frequently used e-mail addresses were utilised. The colour shading denotes the number of unique pages on which the e-mail address in question appeared, within each month.

Key:

Figure 9: Number of pages on which each of the top 80 most frequently-used e-mail addresses (obfuscated) appeared, within each calendar month (with one calendar year shown in each part of the figure)

The 'longest-lived' (though not one of the top 80 most frequently used) e-mail address in the whole dataset (l***@securetranz.[TLD]) was utilised over a total period with a duration of 20 months, between August 2022 and March 2024 (i.e. was still in use at the time of analysis). It was used at least once in all but one month (January 2024) during that period, being utilised 534 times in total.

Discussion

The success rates of phishing scams are difficult to quantify, and there is a wide range of relevant published statistics. The number of click-throughs for a typical phishing campaign may be as high as 18% (based on 2021 data)^[1], though it is not necessarily the case that every recipient who receives and clicks on a link will ultimately lose money to the scam. A 2022 study by the US Internet Crime Complaint Center^[2,3] reported approximately 300,000 phishing victims in the US, from a global number of (what were described as) phishing 'attacks' of approximately 500 million^[4]. This is markedly different from the value of approximately 5 million attacks reported by APWG^[5] - referring to the number of distinct reported phishing sites - and appears instead to relate to the total number of (blocked instances of) attempts to access fraudulent sites, as reported by Kaspersky for the same period^[6]. If, therefore, we assume a conservative figure (particularly given the fact that this campaign appears to be specifically targeted, with the scam pages personalised to the recipient) for the success rate of the campaign of between 0.1% and 1% (i.e. between one in a thousand and one in a hundred of those individuals targeted by the scam will ultimately have experienced a financial loss), the total funds successfully stolen through this single scam site since the start of 2021 may be in the range of US$77,000 to US$770,000.

References

[1] https://www.stationx.net/phishing-statistics/

[2] https://www.ic3.gov/Media/PDF/AnnualReport/2022State/StateReport.aspx

[3] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

[4] https://www.forbes.com/advisor/business/phishing-statistics/

[5] https://docs.apwg.org/reports/apwg_trends_report_q4_2023.pdf

[6] https://www.kaspersky.com/about/press-releases/2023_the-number-of-phishing-attacks-doubled-to-reach-over-500-million-in-2022

This article was first published as an e-book on 24 April 2024 at:

https://www.iamstobbs.com/tracking-the-tracker-ebook