.png?width=800&height=333&name=BRAND%20IMPERSONATION%20(2).png)
Bank of Ireland Group is one of the largest financial services groups in Ireland and provides a broad range of banking and other financial services.
During our PreCrime internet scout of December 14th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting users of Bank of Ireland.
The Attack
Legitimate site :
bankofireland[.]com
Malicious domain created on December 13, 2022, identified by Bfore.Ai on December 14, 2022
boi-online[.]info
This attack shows a brand impersonation attack on one of the biggest banks in Ireland, Bank of Ireland (BOI).
Malicious site
Legitimate site
How does this attack work ?
The URL leads users to an almost exact clone of the legitimate sites login page, where they are asked to login to their BOI account using their User ID, Date of Birth and Phone Number. On the legitimate login page, BOI users are only asked to enter User ID and Date of Birth to login to their account.
How do they trick users into believing the attack is real?
-
Users may be led to the malicious website through a phishing campaign, wherein they are asked to go to the website in order to verify their account by logging in due an issue. The threat actors will likely attempt to convince users that this is an urgent matter, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply.
-
Copying the branding from BOI including using the same logo, colours and font. Additionally, the login page is almost identical to the legitimate login website.
-
Using a domain name similar to BOI. The threat actors have used the acronym version of the bank, BOI.
Why is this a threat ?
If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to take control of their bank account and steal their money. Corporations using BOI would also be at risk of their internal network being compromised, if their credentials used at BOI correspond to those they use for work.
Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks. Such attacks could pose serious consequences for the company, including high monetary costs, disrupting business operations, exposure of confidential data and reputational damage.
-
A cyber incident of BOI could ultimately result in the loss of around 14,8 million EUR.
-
Companies connected to BOI could run the risk of a data breach which as of 2022 could result in the loss of around 4 million EUR.
-
If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand EUR.
Recommendations
-
If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.
-
Always double check the domain name to make sure it is the legitimate one.
-
Never use the same credentials for work and personal accounts.
-
Use different passwords for online banking and shopping sites, for example, so if one of your accounts becomes compromised your other accounts will remain safe.
-
Incorporate Multi Factor Authentication where possible to keep your accounts safe even if the credentials are compromised.
Identification and threat analysis
Technical Report
The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.
|
Domain |
boi-online[.]info |
bankofireland[.]com |
|---|---|---|
|
Registrar |
NameSilo, LLC |
MarkMonitor, Inc. |
|
Registrant Organisation |
PrivacyGuardian.org llc |
The Governor and Company of Bank of Ireland |
|
Registrant Country |
United States |
Ireland |
|
Domain Age |
1 day old Created 13 December 2022
|
9,276 days old Created on 22 July 1997 |
|
Certificate |
Issued by: Let's Encrypt Issued to: *.boi-online.info Domain validated 03-12-2022 -> 03-03-2023 Valid for 3 months
|
Issued by: QuoVadis Limited Issued to: Bank of Ireland Organisation validated 13-01-2022 -> 13-01-2023 Valid for 1 year
|
|
Name Servers |
DESI.NS.CLOUDFLARE.COM HARLAN.NS.CLOUDFLARE.COM
|
NS1.BANK-OF-IRELAND.NET |
|
Last seen active |
13 December 2022 |
13 December 2022 |
|
IP address |
104.21.72.61, 172.67.175.243 Toronto, Ontario, Canada AS13335 Cloudflare, Inc. ISP: Cloudflare, Inc. Organisation: Cloudflare, Inc.
192.64.119.136 New York, United States AS22612 Namecheap, Inc. ISP: Namecheap Organisation: Web-hosting.com
103.57.220.69, 202.92.5.156 Hanoi, Vietnam AS135905 VIETNAM POSTS AND TELECOMMUNICATIONS GROUP ISP: INET Organisation: iNET Media Company Limited |
89.185.145.210 Dublin, Leinster, Ireland AS41678 The Internet Business Ltd ISP: The Internet Business Ltd Organisation: BOI Dedicated
107.162.134.151 New York, New York AS55002 Defense.Net, Inc ISP: Defense.Net, Inc Organisation: Defense.Net, Inc |
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
.png?width=1200&height=627&name=Online%20Impersonation%20Ebook%20Blog%20Ad%20(1).png)
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
