Skip to content
All posts

[SCAM ALERT 071] - Allied Irish Banks

SCAM ALERT-5


Allied Irish Banks, p.l.c. is one of the so-called Big Four commercial banks in Ireland. AIB offers a full range of personal, business and corporate banking services. 

During our PreCrime internet scout of December 1st 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of AIB bank.


The Attack

Legitimate site :

aib[.]ie

Malicious domain created on November 29, 2022, identified by Bfore.Ai on November 30, 2022

aibsecure-web[.]com 

 

This website shows a brand impersonation attack on a financial services group operating predominantly in the Republic of Ireland and the UK, Allied Irish Banks, p.l.c. (AIB).

Malicious site

1b8d01e2-281b-4b7f-ad95-73b7df66b252

How does this attack work ?

  • The URL leads users to a website where they are asked to login to their AIB bank account to verify their details due to a suspicious transaction made earlier in the day.

  • Users are asked to enter their personal information, including debit/credit card information, in order to login and view the transaction.



How do they trick users into believing the attack is real ?

  • Brandsquatting: registered a domain name that is similar to the legitimate one

  • The threat actor uses two different arguments to lure users into believing the scam. First, users are informed that they must login to their bank account to avoid their card getting automatically deactivated. And second, they inform users that a suspicious transaction was made earlier in the day, and that they must verified their Visa card by filling in their debit/credit card information as a security precaution, whereafter they will be able to cancel or accept the transaction and avoid their card getting automatically deactivated. These arguments are an attempt to convince users that this is an urgent matter that needs to be solved now, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply.

  • Users may be led to the malicious website through a phishing campaign, wherein they are asked to go to the website in order to verify their identity to review a recent transaction. Again, the attacker will likely use the similar arguments as above in order to convince users into complying with the scam.

 

Why is this a threat ?

If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to take control of their bank account and steal their money. Corporations using AIB would also be at risk of their internal network being compromised if their credentials used at AIB correspond to those they use for work.

Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks. Such attacks could pose serious consequences for the company, including high monetary costs, disrupting business operations, exposure of confidential data and reputational damage.

  • With a yearly revenue of around 2 billion EUR, a cyber incident of AIB could ultimately result in the loss of up towards 8 million EUR.

  • Companies connected to AIB could run the risk of a data breach which as of 2022 could result in the loss of around 4,16 million EUR.

  • If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand EUR or more depending on the bank account of the individual consumer.

 
 
Identification and threat analysis

Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.

Domain

aibsecure-web[.]com

aib[.]ie

Registrar

OwnRegistrar, Inc.

CSC Domains Inc

Registrant Organisation

N/A

AIB Group

Domain Age

2 days old

29 November 2022

7,843 days old

11 June 2001

Certificate

Issued by: Let's Encrypt

Issued to: aibsecure-web[.]com

Domain validated

29-11-2022 -> 27-02-2023

Valid for 3 months

Issued by: DigiCert Inc

Issued to: Allied Irish Banks, p.l.c

Organisation validated

26-06-2022 -> 06-07-2023

Valid for over 1 year

 

Name Servers

ns1.bitcoin-dns.com

ns2.bitcoin-dns.com

ns1.netnames.net

ns2.netnames.net

ns6.netnames.net

 

MX Record

aibsecure-web.com

cust39748-1-in.mailcontrol.com

cust39748-2-in.mailcontrol.com

 

Last seen active

30 November

1 December

IP address

162.222.213.71

Amsterdam, The Netherlands

AS60558 PHOENIX NAP, LLC.

ISP: PHOENIX NAP, LLC.

Organisation: USWHSS.COM

 

194.69.198.194

Dublin, Ireland

AS16282 Allied Irish Banks PLC

ISP: Allied Irish Banks PLC

Organisation: Allied Irish Banks PLC

 
 
 
 
Screenshot 2022-12-01 at 13.45.14

 

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

 

Bfore.Ai’s recommendations

  • If in doubt whether an email or text message is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

  • Always double check the domain name to make sure it is the legitimate one.

  • Never use the same credentials for work and personal accounts.

  • A padlock next to the domain name which generally proves that a website is secure, does not always mean that the website you are visiting is legitimate. Cyber criminals have started buying certificates to showcase the padlock on their malicious sites in order to fool site visitors.

  • Use different passwords for online banking and shopping sites, for example, so if one of your accounts becomes compromised your other accounts will remain safe.

  • Incorporate Multi Factor Authentication where possible to keep your accounts safe even if the credentials are compromised.




PreCrime Landscape Report Promo Blog Ad

 




Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.