Cybercriminals never let a good crisis go to waste.  

One online security concern that has resurfaced following the recent turmoil in banks like Credit Suisse and Silicon Valley Bank is cybersquatting. 

Cybersquatting is the act of registering a domain name similar to that of a reputable financial institution or other company and then emailing customers and tricking them into keying in their personal information. From there, malicious actors use screen scraping to obtain the login information and access the victims’ accounts.

The finance sector in 2022 saw its largest cohort of malicious active domains affected by cybersquatting. In fact, 26,125 instances targeting more than 400 banking and finance clients, were identified by web security services platform Akamai, which uses its cloud-based Edge DNS solution to scan DNS registries using domain name system security extensions. 

The company is employed by the 10 largest U.S. banks, according to Akamai, which declined to name the banks. 

Cybersquatting intensifies

The emails from cybersquatters are now rolling in amid the news of recent bank failures, Steve Winterfeld, advisory chief information security officer at Akamai, told Bank Automation News.  

“Banking has a real problem with their customers who are going to get an email because of the run on banks. The emails will say, ‘We’re validating everybody’s user credentials, please log in and validate,’” Winterfield said. 

“People are scraping your webpage and having the customer go try to log in, and [the false page] can say [the site is down].’ That gives me time to hack your account. Or I can say ‘you got it wrong, try to log in a second time’ and then take you to the real login page,” he said. 

Another method cybercriminals use is employing coding language such as Python to pull the webpage design of reputable banks into a malicious URL, tricking customers with the images and leading to the login scenario described by Winterfeld. 

Cybersquatting comes in many forms, with “combo squatting” being the most prevalent. This method involves adding a keyword such as “-hr” or “-security” to an existing bank’s domain name, thus changing a URL from a reputable one to a malicious version with the intent to steal a user’s login information, according to the security platform. 

Per Akamai’s 2022 State of the Internet report, account takeover and web scrapers combine for 81% of individual attackers according to insights gathered from its DNS platform. 

While cybersquatting has been around since the late 1990s, the methods used to access victims’ accounts are becoming more advanced over time, Ali Allage, chief executive at BlueSteel Cybersecurity, told BAN. The consultancy helps federal organizations with security and compliance needs, according to BlueSteel’s website. 

“It’s very technical in terms of the way people do it … Emails and targeted emails are getting more sophisticated,” Allage said. “It’s coming to light because with social engineering you’re impersonating someone in order to obtain an end result. Now, you’re impersonating a brand.” 

Fighting cybersquatting 

Banks have few effective methods of recourse.  

Namely, they can use a domain protection service to identify fake URLs that may be impersonating the site and then report the false domains to the registrar of the domain and the Internet Crime Complaint Center to have them removed from the web. 

Banks are protected under the Anti-Cybersquatting Consumer Protection Act, which requires domains to remove sites that are misleading to customers. Despite this, tracking this activity can still be an extensive effort, Winterfeld said. 

“As a bank, I may want to buy up domains that include my company’s name, I may want to buy up domains with misspellings,” he added.