DomainTools, a DNS-based cyber threat intelligence firm, has discovered hundreds of fake websites that appear to be owned by banks during a monitoring period that ran between the 27th and 31st March. Hackers often use bogus domains to trick customers into handing over personal details or login information.

In total, DomainTools unearthed a total of 324 websites - 110 fake HSBC sites, 74 each for Barclays and Standard Chartered, 66 for Natwest and 22 for Lloyds. Web addresses, including hsbc-direct.com, barclaya.net, barclays-supports.com and lloydstsbs.com, were all owned by impostors rather than the banks themselves.

The firm's recent research regarding the plethora of cybersquatters and their targeting of popular British banks has uncovered epic quantities of cyber-squatting (also known as domain-squatting). This is the act of registering a domain name with the purpose of obtaining monetary benefit from a trademark that belongs to someone else. These domains are often used in phishing email campaigns and various other kinds of scams including pay-per-click ads (often for competitors’ services), for-profit survey sites and affiliate programme abuse, or more nefarious content such as ransomware and drive-by download campaigns.

The DomainTools research team analysed domains that mimicked Barclays, HSBC, Natwest, Lloyd’s and Standard Chartered using its PhishEye tool. PhishEye allows users to search for existing and new domains that spoof a legitimate brand, product, organisation, or other names. Among the 324 there were:

•     natwesti[.]com
•     natwestbusinessbanking[.]co.uk
•     lloydstbs[.]com
•     hsbcgrp[.]com
•     bhsbc[.]com
•     barclaysbank-plc[.]co.uk
•     wealthbarclays[.]co.uk
•     standardchartered-bank[.]com
•     standardcharteredbanks[.]com
•     standardcharterd[.]com
•     xtandardchartered[.]com

Many simply add a letter to a brand name, such as Domaintoools.com, while others add letters or an entire word such as ‘login’ to either side of a brand name. Users should remember to inspect every domain they are clicking on or entering in their browser very carefully. They should also watch 'redirects' closely when they are going from site to site. The big brands do not appear to be monitoring the Internet for fraudulent domain name registrations or defensively registering their own typo variants, something that DomainTools is recommending. Its CEO told Compliance Matters: "It is better to lock down typo domains than to leave them available to someone else and at an average of £12 per year per domain, this is a relatively cheap insurance policy.”

Other top tips for consumers who want to avoid spoof websites include the following.

• Check for extra added letters in the domain, such as Yahooo[.]com
• Check for dashes in the domain name, such as Domain-tools[.]com
• Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com
• Check for reversed letters, such as Domiantools[.]com
• A plural or singular form of the domain, such as Domaintool[.]com

DomainTools generates risk scores according to a proprietary algorithm that assigns a “guilt by association” score to the domain according to a number of factors that the firm does not seem willing to divulge.