Posing as legitimate customer-facing organizations is a significant contributor to the success of fraudulent campaigns.  In this edition of our DIY investigation guides, we will take you through the process of investigating possible vehicles for fraud targeting the financial sector using different Domain Research Suite (DRS) search and monitoring tools.

Case #1: Discover and Investigate Potential Bank Fraud Channels

Our investigation begins by retrieving a list of domains possibly posing as bank properties. After that, you can zoom in on a specific domain name and dig deeper into their WHOIS, DNS, and other Internet-related records. Follow these steps.

1. Go to Domains & Subdomains Discovery, type your desired search string, and click Search. For our illustration, we obtained a list of domains containing “wellsfargo” registered since 1 October 2022.

[BONUS PRO TIP] For search strings with fewer than five characters, you can select the Starts with parameter instead of Contains to avoid as many false positives as possible.

2. Click a domain name from the search results to start investigating. Select Build WHOIS Report. As an example, we selected wellsfargo-myaccount[.]com.

3. From the WHOIS search results, you can check the following records:

• Website screenshot

• Website metadata and categories

• Domain age

• Registrant details

4. How do these results compare to the information available for the bank’s official domain? Go to WHOIS Search and type the official domain name of the imitated bank. In this case, it’s wellsfargo[.]com.

• Website screenshot: The cybersquatting domain above hosts content similar to that of the Wells Fargo official website shown below.

• Website metadata and categories: While the cybersquatting domain didn’t have web categories and metadata, the legitimate domain has complete details. 

• Domain age: Wells Fargo’s official domain was created in 1993, while the cybersquatting property was only three days old as of this writing.

• Registrant details: The legitimate domain itself is the root domain of the registrant’s email address.

5. Compare the results obtained from steps 3 and 4. The actors behind wellsfargo-myaccount[.]com did their best to imitate the official wellsfargo[.]com web page by hosting nearly identical content. However, glaring differences in the official Wells Fargo and cybersquatting domains’ records reveal the latter is most likely being used as a front for fraud and other crimes.

6. [BONUS PRO TIP] Uncover more suspicious domains related to the possible fraudsters by clicking the arrow beside the Registrant Organization of wellsfargo-myaccount[.]com and selecting Build current Reverse WHOIS report.

As of 16 November 2022, we found 229 domains currently under the registrant. Most of them appear to be banking domains.

Case #2: Detect Fake Crypto Platforms

When someone sends you a link to a cryptocurrency platform, the best practice would be to verify if the domain is legitimate. We illustrate how to do this below.

1. Go to WHOIS Search and type the domain name. Our example is the domain tr-binance-account-mobile[.]com.

2. On the results page, examine the following details:

• Website screenshot

• Domain age

• WHOIS ownership details

3. The website screenshot result above shows that the top of the web page has the text URL verification https[://]accounts[.]binance[.]com. Type the URL into WHOIS Search. If there are no URLs available, use the official domain name of the imitated platform (binance[.]com in this illustration).

4. Compare the following details with the results from step 2 and with the Binance official domain details.

• Website screenshot: Both suspicious domains from steps 2 and 3 host almost identical content, except that in tr-binance-account-mobile[.]com, the page says QR code expired.

• Domain age: The Binance official domain was registered on 1 April 2017, while the suspicious one is only a day old as of this writing.

• WHOIS registrant details: Binance’s WHOIS records are protected by DNStination, Inc., while tr-binance-account-mobile[.]com uses Contact Privacy.

While some of the differences are subtle, it’s likely that tr-binance-account-mobile[.]com is a cybersquatting domain and it has been flagged as malicious by various malware engines.

5. [BONUS PRO TIP] Find out more potentially malicious domains related to the fake crypto platform by going to Reverse DNS Search and typing the domain into the Obtain connected domains search box. Clicking Search returned 42 domains resolving to the same IP address as tr-binance-account-mobile[.]com.

You can see that several related domains suspiciously contain the string “wailet,” possibly a typo variant of the word “wallet.”

Case #3: Uncover Possible Investment-Related Fraud

Another lure fraudsters may use are related to the stock, foreign exchange (forex), or other investment markets. To investigate domains that could serve as fraud vessels, follow these steps.

1. Go to Domains & Subdomains Discovery and type the relevant search string. We used “nasdaq” for this demonstration. To limit the results to only newly added domains, we set the Added since parameter to 1 October 2022.

We found 236 Nasdaq-related domains added from 1 October to 16 November 2022.

2. From the list of results, click a domain name of interest. Choose Build Historic WHOIS report.

3. Check the website screenshot. The content hosted on nasdaqtaiwan[.]com is a login page bearing Nasdaq’s official logo.

4. Compare the content with the actual Nasdaq login page with the URL nasdaq[.]com/user/login.

5. The content hosted by the cybersquatting domain is suspicious enough, but you can also compare other details.

• Domain age: The official nasdaq[.]com was created on 16 December 1993, while nasdaqtaiwan[.]com was registered on 18 October 2022.

• Metadata and web categorization: The cybersquatting property doesn’t have enough content to be categorized, while nasdaq[.]com is classified under Business and Finance.

• Registrant details: While the rest of Nasdaq’s WHOIS details have been redacted, its registrant organization is The Nasdaq Stock Market, Inc. On the other hand, the cybersquatting domain’s WHOIS details are protected by Domains by Proxy.

Case #4: Investigate Cybersquatting Domains Targeting Prominent Figures in the Financial Sector

Aside from financial companies and platforms, fraudsters are also fond of posing as venture capitalists, investors, CEOs, and other famous personalities in the financial industry. An example is the chamath-event[.]site, which seems to implicate Canadian-American venture capitalist Chamath Palihapitiya.

To our knowledge, Chamath doesn’t have an official website named after himself. The official website for his venture capital activities is socialcapital[.]com. When you encounter suspicious domains such as chamath-event[.]site, follow these steps to investigate the possibly offending domain.

1. Go to WHOIS History Search and type the suspicious domain.

2. Browse through its historical WHOIS records.

3. Click an unredacted registrant detail you may find and select Build historic Reverse WHOIS report to see what other domains have been registered using the chosen record detail.

4. For chamath-event[.]site, we found an email address that is also connected to a domain implicating Elon Musk who also doesn’t have an official website named after himself.

5. [BONUS PRO TIP] Monitor the registration of domains containing the names of prominent individuals by adding them to Brand Monitor.

—

Whether it’s bank fraud, fake cryptocurrency platforms, impersonators, or investment-related scams, DRS has the search and monitoring tools to help you perform a DIY investigation.

Are you interested in doing similar fraud investigations? Access DRS if you are an existing user or sign up if you are a first-timer.