Skip to content
All posts

[SCAM ALERT 053] - Stash Financial, Inc.


Stash Financial, Inc. is a digital financial services company offering financial products for U.S. based consumers.

During our PreCrime internet scout of October 10th 2022 we identified suspicious markers across multiple vectors.

The Attack


Stash Financial, Inc. customers and/or individuals interested in investment.

Possible threats:

  • Phishing campaign - luring customers to the site by sending them a message impersonating Stash Financial, Inc. with a link to the malicious domain.
  • Credential harvesting and financial gain - After luring users to the site, users will led to a page where they need to enter their personal and financial details.
  • Malware - by infecting a victims devices with malicious software by using a websites infected by exploit kits.


Technical Breakdown

Threat Indicators

  • Malicious domain impersonating Stash Financial, Inc.
  • DNS records of malicious domain completely different to Stash Financial, Inc.
  • Newly registered site - October 5 2022
  • SSL certificate expires after three months
  • MX record indicates domain may be part of a phishing campaign


Detection and Threat Analysis

The malicious domain, stash-bank[.]online has been targeting Stash Financial, Inc. (, an American financial services company that operates both a web platform and a mobile app, allowing users to invest. The malicious domain was created October 5, 2022 and detected by October 10, 2022.

  • The website content attempts to duplicate the original website, however with visible differences as seen on the first page that loads - where the malicious site states ‘Get the investing app for building long term wealth' whereas the legitimate one states 'Investing made easy’. This indicates that the malicious site may be creating a malicious app for users to download. Additionally, all outgoing links on the malicious domain do not work, giving the user a 404 Page not found site by the registrar, indicating that the malicious domain may still be under development.
  • The DNS records are completely different to the DNS records of the legitimate website. The legitimate domain is registered in the United States via Amazon, whereas the malicious domain is registered in Russia via a Russian domain registrar. See the details below.
  • The domain has registered MX records, giving the threat actors the ability to accept and send email messages on behalf of the domain names. It indicates that the threat actors may be setting up the domain to be part of a phishing campaign that leads to the malicious domains.
  • The registered SSL certificate expires after three months indicating malicious intent.
  • The IP address has a lot of malicious traffic with over 300 .EXE malicious files communicating with it since 2014. The IP address has been blacklisted by SPFBL and UCEProtect.


  • Since the malicious domain was created on October 5, the darknet site, Russian Market has been selling stash credentials for, , and . These credentials have seemingly been stolen using malware info stealers: Redline, Vidar, and Racoon. The below screenshots show the all the logs being sold were stash credentials are listed.



DNS Records



How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals



This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.