A financial cybercrime group calling itself the Disneyland Team has been leveraging visually confusing phishing domains that spoof popular bank brands using Punycode.
What Happened: Alex Holden, the founder of cybersecurity consulting firm Hold Security, has analyzed the group's operation. This cybercrime group has been using a web-based control panel to keep track of victims' credentials, according to Krebs on Security.
Holden has gained access to the panel, which reveals the gang has been operating dozens of Punycode-based phishing domains for the better part of 2022. Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
The Disneyland Team uses common misspellings for leading banks in its domains. It also uses Punycode to make its bogus bank domains look more legit.
Take U.S. financial services firm Ameriprise for example. Ameriprise uses the domain ameriprise.com. The Disneyland Team's domain for Ameriprise customers is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain.
On noticing carefully, one can make out small dots under the "a" and the second "e," which can be easily mistaken for a spec of dust on a computer or mobile screen.
According to Holden, the Disneyland Team is Russian speaking or at least based in Russia. However, it is not simply a phishing gang but a group using phony bank domains in convergence with malicious software discreetly installed on a victim's computer, the report noted.
Read Next: The Growing Email Scam That's Almost Impossible To Reverse
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
