Banco Patagonia is an Argentinian bank founded in 1976 and part of the Merval, the main stock index of the Buenos Aires stock exchange.

During our PreCrime internet scout of November 4th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Banco Patagonia.


The Attack

Target: 

• Customers of Banco Patagonia

Possible threats:

• Credential harvesting and financial gain - After luring users to the site, they are asked to login to their Banco Patagonia account using their credentials, allowing threat actors to take control of their bank account and steal their money. Customers may be led to the website via a phishing campaign, asking them to click on a link to resolve an issue with their account for example.
• Since Banco Patagonia provides services for both individuals as well as small and medium sized companies, companies connected to Banco Patagonia are also at risk of stolen credentials. With 51% of people using the same passwords for both their work and personal accounts, any stolen credentials may provide threat actors with internal access to a company network leaving them vulnerable to financial loss, sensitive and confidential data leaking, as well as further cyber attacks such as ransomware.

Such a scam could result in a loss of around 2.3-3.5 millions dollar loss for the bank.

Technical Breakdown

Threat Indicators

• Malicious domains impersonating Banco Patagonia
• DNS records of malicious domain different to Banco Patagonia
• Newly registered sites - November 1-3 2022
• MX record indicates domain may be part of a phishing campaign
• SSL certificates expire after three months
• IP address blacklisted

Detection and Threat Analysis

The malicious domains are targeting Banco Patagonia, an Argentinian commercial bank owned by Banco de Brasil and headquartered in Buenos Aires. The provides a range of financial solutions for individuals, corporations, small and medium sized companies, private banking, and institutional customers. The malicious domains were created between November 1-3, 2022 and identified by Bfore.Ai November 4, 2022.

• Two of the malicious sites (onlineparsonas-epatagonia[.]com and multipatagonionline-inicio[.]com) first show users a 'home page' for the bank. All links on these sites simply refresh the website, except for the link in the middle of the website, which leads users to a login page that mirrors the legitimate one from Banco Patagonia. The final malicious site (enpatagonian-online) leads users directly to a cloned login page. On the malicious login pages, all links on the website simply refresh the page, ensuring that victims stay on the same login page and are therefore, more likely to simply enter their bank credentials.

• The DNS records are different to the DNS records of the legitimate website. The main point of interest is that the legitimate domain is registered under it’s own organisations name (Banco Patagonia S.A), whereas the malicious domains are all registered under different registrars, with different certificates, and IP addresses without including an organisation name. Legitimate companies will always include their organisation name in DNS records in order to verify their legitimacy as Banco Patagonia has done. See further details and comparison between the malicious and legitimate domain below.

• While the domains all show different DNS records, their almost identical website structure and registration dates indicate that it is most likely the same threat actor behind all three domains.

• One of the domains (multipatagonionline-inicio) has registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors may be setting up the domain to be part of a phishing campaign that leads to the malicious domain.

• The registered SSL certificates expire after three months indicating malicious intent. Legitimate companies will more commonly ensure their certificate lasts at least 1 year and as mentioned earlier, include their organisation name (Banco Patagonia S.A).

• The domains resolve to different IP addresses in different locations (Singapore, Brazil and the United States) where two of them have been blacklisted by spfbl.

VirusTotal Graph

DNS Record

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

• Pay close attention to the URL

• Check connection security indicators (the lock)

• Read emails carefully

• Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.