Click here for a Portuguese version of this post.
A few weeks ago, Afonso received a text message on his phone (in Portuguese) that translated to:
“Avoid blocking your account: Please access loguin-novobanco[.]com”
As in most phishing schemes, the malicious domain tries to impersonate the real one and this was no exception. Afonso was clearly able to spot the word ‘loguin’ (‘login’ in Portuguese), so he decided to investigate a bit further.
Using the Silent Push App, Afonso ran a domain lookup to see what I could find.
At the time, the domain was being hosted on 13.66.4[.]22.
The first thing Afonso did was to investigate other domains on the same IP address and then on the same subnet. For that, Afonso used the reverse IP lookup function. Since nothing interesting came up on the subnet, he decided just to search what else he could find on the same IP address:
This led to plenty of other bank phishing domains such as:
montepio-app[.]com, which spoofs Portuguese bank Montepio.
appitau-tarjeta.puntosarescatar[.]com, which spoofs a Brazilian bank.
Most of the domains were created less than a week earlier, so this meant Afonso could track everything from the beginning.
After checking on each domain, Afonso found they all used kinghostbr.*.orderbox-dns[.]com as nameservers. He decided to use the Silent Push API to see if he could find any other suspicious domains using these nameservers, and found Santander Bank spoofing domains, which had been taken down already.
All the domains Afonso found did not seem have an active website at the time of my research, most just redirected to a photography page.
Indicators of Compromise
loguin-novobanco[.]com
novobanco-loguin[.]com
app-novobanco[.]com
novobanco-cashadvanced[.]bwnetworkus[.]com
novobanco-app[.]com
nbway-app[.]com
montepio-app[.]com
userspuntos[.]puntoitau[.]com
itau-tarjetacredito[.]southafricanincorporations[.]com
itau-tarjetaiupp[.]calmcbdbv[.]com
appitau-tarjeta[.]puntosarescatar[.]com
useriupp[.]itauweb[.]com
account-nb[.]com
iupp[.]itaupuntos[.]com
www[.]resgatepuntos[.]org
userpuntos[.]puntoitau[.]com
prevencionitau[.]com
itau-iupptarjetadecredito[.]pmpmaster[.]com
puntos-iupp[.]itaupunto[.]com
app[.]sms-itau[.]com
seguridad[.]itau-app1[.]com
app[.]falabella-chile[.]com
novobanconet[.]com
montepio-loguin[.]com
sanrtander[.]com
santanrdersx[.]cf
sartander[.]cf
santarnder[.]run
santanrder[.]digital
santandenr[.]in
santarnder[.]site
sartanderempresa[.]ga
sartander[.]ga
sarntanderempresarial[.]com
sartanderempresarial[.]com
sartanderempresas[.]com
loguin-montepio[.]com
