Banco Ciudad is a municipal commercial bank in Buenos Aires, Argentina. Its main purpose was fighting usury in the city by giving loans at a below-market interest, in order to reduce social inequalities.
During our PreCrime internet scout of December 6th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Banco Ciudad.
The Attack
Legitimate site :
bancociudad[.]com[.]ar
hb[.]bancociudad[.]com[.]ar/login
Malicious domain created on December 5, 2022, identified by Bfore.Ai on December 6, 2022
hb-bancociudad[.]com
xn--hb-bancciudad-2kb[.]com
PreCrime score : 0.98*
*Anything above 0.5 is deemed malicious.
This attack shows a brand impersonation attack on on Banco Ciudad de Buenos Aires (The Bank of the City of Buenos Aires), also known as Banco Ciudad.
Malicious site
Lead to fake login page
Legitimate site
How does this attack work ?
Users may be led to the malicious website through a phishing campaign wherein they are asked to go to the website and log in to their account. On the malicious website the threat actors are offering discounts for customers, indicating that phishing emails sent to victims may have focused on enticing them with good deals and discounts in order to lure them into clicking on the link and visiting the malicious site.
When opening the malicious domain users are directed to the website below, showing the bank logo, a few links to other sites and giving users the option to login to their account. As you can see, the website shows discounts for every day of the week that customers can get if they login or become a customer.
How do they trick users into believing the attack is real ?
Using branding from Banco Ciudad including the same logo, colours and font. Additionally, the malicious login page is completely identical to the legitimate one in appearance.
Using a domain name similar to Banco Ciudad. See the differences below:
Punycode is an internet standard which allows web browsers to generate domain names that contain non-Latin alphabets such as Cyrillic. For example, the city München would be encoded as xn--mnchen-3ya. Threat actors use this tactic to disguise real domain names in an attempt to trick users into believing that the domain is legitimate. The threat actors in this attack use the domain xn--hb-bancciudad-2kb[.]com, which displays in the browser URL bar as hb-bancòciudad[.]com, and is very similar to the legitimate login domain URL, hb[.]bancociudad[.]com[.]ar/login. See the punycode conversion below.
Why is this a threat ?
If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to take control of their bank account and steal their money. Corporations using Banco Ciudad would also be at risk of their internal network being compromised, if their credentials used at Banco Ciudad correspond to those they use for work.
Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks. Such attacks could pose serious consequences for the company, including high monetary costs, disrupting business operations, exposure of confidential data and reputational damage.
A cyber incident of Banco Ciudad could ultimately result in the loss of around 4 million USD.
Companies connected to Banco Ciudad could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.
If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.
The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.
|
Domain |
hb-bancociudad[.]com xn--hb-bancciudad-2kb[.]com (puny) hb-bancòciudad[.]com (idn) |
bancociudad[.]com[.]ar |
|---|---|---|
|
Registrar |
IONOS SE |
Nicar |
|
Registrant |
Uknown |
Banco de la Ciudad de Buenos Aires |
|
Domain Age |
1 day old 5 December 2022 |
9,258 days old Created 1 August 1997 |
|
Certificate |
Issued by: DigiCert Inc Issued to: *.hb-bancociudad[.]com *.xn--hb-bancciudad-2kb.com Domain validated 04-12-2022 -> 04-12-2023 Valid for 1 year
|
Issued by: Sectigo Limited Issued to: Banco de la Ciudad de Buenos Aires Organisation validated 31-05-2022 -> 02-07-2023 Valid for 1 year
|
|
Name Servers |
ns1019.ui-dns.de ns1094.ui-dns.com ns1099.ui-dns.org ns1106.ui-dns.biz
|
ns1.gblx.net.ar ns2.gblx.net.ar
|
|
MX record |
mx00.ionos.com mx01.ionos.com |
esmeralda.bancociudad.com.ar bancociudad-com-ar.mail.protection.outlook.com mail.bancociudad.com.ar
|
|
Last seen active |
6 December |
6 December |
|
IP address |
74.208.236.238 Philadelphia, Philadelphia, U.S. AS8560 IONOS SE (VPSH, A10K, TOR) ISP: IONOS SE Organization: IONOS Inc |
8.243.10.90 Buenos Aires, Argentina AS3356 Level 3 Communications, Inc. ISP: CTL Argentina Organization: Banco Ciudad De Buenos Aires
190.221.154.90 Buenos Aires, Argentina AS11664 Techtel LMDS Comunicaciones Interactivas S.A. ISP: Telmex Argentina S.A Organization: Banco Ciudad De Buenos Aires
|
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.
Always double check the domain name to make sure it is the legitimate one.
Never use the same credentials for work and personal accounts.
Use different passwords for online banking and shopping sites, for example, so if one of your accounts becomes compromised your other accounts will remain safe.
Incorporate Multi Factor Authentication where possible to keep your accounts safe even if the credentials are compromised.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.