Digital Federal Credit Union, better known as DCU, is a not-for-profit financial cooperative. DCU was chartered in October of 1979. Since then, DCU has been chosen as the credit union for more than 700 companies and organizations.

During our PreCrime internet scout of November 23rd 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of DCU.


The Attack

This attack shows a brand impersonation attack on the American financial institution, Digital Federal Credit Union (DCU), based in Massachusetts and with over 1 million members.

How does this attack work ?

• Users may be led to the malicious website through a phishing campaign, wherein they are asked to go to the website in order to verify their identity due an issue. The threat actors will likely attempt to convince users that this is an urgent matter, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply.

• When opening the webpage, users are asked to sign into their personal or company DCU account, using their username and password. Once entering their credentials users are asked to fill in account information, including last name, phone number and email address. Users are then allegedly sent a 6 digit code to their phone number for verification. Once those steps are completed users are told that their account has been successfully verified before automatically directing users to the legitimate website. These steps are shown in the images below.

• Attempted login with fake credentials on the malicious site leads users to an account information site.

 

 

• During this process fake information was used in order to determine the validity of the website. If we compare to the legitimate website, by entering fake credentials we are unable to login and get the following message.
  
  

• Attempted login with fake credentials on the legitimate site.

 

 

How do they trick users into believing the attack is real ?

• Using branding from DCU including the same logo, colours and font.

• The website has the exact same layout as the legitimate login page.

• Two links exist on the malicious and legitimate site, forgot your username? and forgot your password?. On the legitimate site, these links redirect users to a different site where they can get help to gain access to their account. On the malicious site, these links do not work.

If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to take control of their bank account and steal their money. Corporations using DCU would also be at risk of their internal network being compromised, if their credentials used at DCU correspond to those they use for work.

Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks. Such attacks could pose serious consequences for the company, including high monetary costs, disrupting business operations, exposure of confidential data and reputational damage.

• A cyber incident of DCU could ultimately result in the loss of around 1.2 million USD.

• Companies connected to DCU could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.

• If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.

Identification and threat analysis

Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain and the legitimate domain.

Domain	1dcu-0rg-ver1fy[.]tk	dcu[.]org
Registrar	Private ownership records	GoDaddy.com, LLC
Registrant Country	Private ownership records	United States
Domain Age	2 days old	9,437 days old
Certificate	Issued by: cPanel, Inc. Issued to: 1dcu-0rg-ver1fy[.]tk Domain validated 21-11-2022 → 19-02-2023 Valid for 3 months	Issued by: GoDaddy.com, Inc.. Issued to: Digital Federal Credit Union Organisation validated 30-04-2022 -> 30-04-2023 Valid for 1 year
Name Servers	ns01.freenom.com ns02.freenom.com ns03.freenom.com ns04.freenom.com	edna.ns.cloudflare.com hans.ns.cloudflare.com
MX record	N/A	mxa-0017d201.gslb.pphosted.com mxb-0017d201.gslb.pphosted.com
Last seen active	24 November	24 November
IP address	146.190.53.99   Santa Clara, United States AS14061 DigitalOcean, LLC ISP: DigitalOcean, LLC	104.17.112.72, 104.17.113.72, 104.17.114.72, 104.17.115.72, 104.17.116.72 Chantilly, United States AS13335 Cloudflare, Inc. ISP: American Registry Internet Numbers

 

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

• If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

• Always double check the domain name to make sure it is the legitimate one.

• Never use the same credentials for work and personal accounts.

• Use different passwords for online banking and shopping sites, for example, so if one of your accounts becomes compromised your other accounts will remain safe.

• Incorporate Multi Factor Authentication where possible to keep your accounts safe even if the credentials are compromised.

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.