Social engineering as dramaturgy, or what is common to a phishing domain and "Chekhov's gun"

Hello! My name is Vitaly Andreev and I work as a leading expert in the ETHIC area at Infoseky. Over the past year, I have accumulated many examples of various popular fraudulent schemes that I would like to share, and at the same time analyze some trends from the world of phishing and social engineering.

About 1,000 new domain names are registered online every day, which is several times higher than the number of really active sites. Considering all the scenarios of their use in one article would be meaningless and very long, so let's talk only about some of them, namely, the use of domain names for fraudulent purposes.

The problem of phishing and social engineering can affect absolutely any user of the network. To stumble upon a phishing site or encounter another manifestation of social engineering is much easier than, say, picking up a Trojan (although it will most likely be sent to you using social engineering methods). Why did I decide to compare social engineering with drama? Because it is based on approximately the same principle of plot construction as in a work of art, and the victim finds itself in the very heart of a kind of performance.

A successful domain name is half the success for a phishing or fraudulent website. But good domains on the road are not lying around, so scammers register with suitable domain names in advance, leaving them to wait in the wings. The situation is most clearly seen in the example of banks. Each week, approximately one and a half thousand domains are registered with the “bank” particle. Moreover, the more popular the bank, the more willing to have a consonant domain name.
')
For example, in February, variations of domain names containing the words “sberbank”, “bonus” and the number “3000” were very popular. Just look:

• bonus3000-sberbank.ru
• sberbank-darit-3000.ru
• podarok3000-sberbank.ru
• sberbank-3000bonus.ru
• sberbank3000.ru
• 3000sberbank.ru

And another half dozen similar options in different versions.

All these domains combine two common details. Firstly, they were registered through the company “Beget”, and secondly, they all lead to nowhere.

In order to understand the purpose of registering these domains, you do not need to have any secret knowledge or special skills; you just need to enter the magic words “Sberbank Bonus 3000” in any search engine. At the exit we get typical examples of reviews:

Registered in Sberbank online for a bonus of 3000 rubles. I entered passwords via SMS and it turned out that 3000 rubles were withdrawn from my card in CH Debit RUS mOSCOW QIWI AFT. How can I take my money back?

I had 120.000 thousand on the map. They took everything. And in the minus went to 30 thousand

Apparently, someone was going to revive the old scheme, which allowed attackers to gain access to the victim's bank account, and domain names are just waiting in the wings.

The next most popular word in the neighborhood with the word “bank” is “poll”. It’s still easier: just look in the spam folder in your inbox where the headers of the letters will scream for the payment that is waiting for you.

If you follow the link from the letter, you will find yourself approximately on such a site.



As a result of answering a dozen frankly stupid questions, you will be kindly asked to enter your bank card details, where, logically, they have to make a payment, and in fact from where to write off the money. However, in some cases, fraudsters do not even bother to disguise their scam and in the data entry form directly indicate that you are paying for someone’s mobile phone.

This whole scheme is utterly primitive, but the fact that in recent months it has been actively forcing Google and Instagram is surprising, which cannot but add to trusting citizens to believe in its efficiency.



By the way, real polls from Sberbank come from opros@sberbank.ru.

Just want to note that Sberbank was chosen as an example simply because the largest bank always attracts the attention of various kinds of fraudsters. The logic here is simple: the likelihood that among the potential victims who received a phishing letter will be customers of this particular bank is always quite high. However, a lot of suspicious domains appear in conjunction with the names of other well-known brands.





For example, look at the site address of the bonus program VimpelCom. In this case, the domain name does not bear at least some semantic load. The generator program obviously worked here, because polling sites often change hosting and move from domain to domain.

Sometimes there are sites at all without mentioning the brand. Poll year and period!



In fact, all these divorces with polls are a slightly modified payment fraud scheme. Only now I have to answer the questions.



I have always been skeptical about the performance of such fraudulent schemes, they are too clumsy. One letter is written in the letter, another is on the site, the third is in the process of withdrawing money.



For the purity of the experiment, I specifically turned off all the filters in the test mailbox and now it looks as if the whole world suddenly decided to give me money. Do not pay attention to the different dates in the letters - screenshots were made throughout the year and now the most interesting and characteristic letters were selected.





But my favorite. Always wanted to win in the nomination "Repost of the Year"!



Curiously, such newsletters are transformed before our eyes. And if half a year ago most of the letters contained links directly to the scam site, now these letters contain a link to a file located in a cloud storage such as Dropbox. A link in this file is already on a malicious site. This is done in order to bypass the mail spam filters.



There is always one thing: no matter how the site looks and the name of which brand it covers, you will end up on this kind of page.





Pay attention to the inscription "transfer from card to card" - the guys are not straining at all.

You are currently reading this article and you probably think that such a primitive divorce cannot work. But, unfortunately, it is not. Of course, official and reliable statistics regarding such social frauds do not exist in nature. But given the scale of mailings and the number of such sites, one can say for sure: the scheme works. Scammers simply will not spend energy and money on something that does not bring them income.

But back to our domains. Phishing and frauds are flourishing not only in our country. In February, the Turkish bank Denizbank was unlucky (one of the top 5 banks in the country). In just one month, more than four dozen domains appeared in the network, one way or another connected with its name. As in the previous history, they are all registered through the same registrar company and are not tied to any resource. They look like this:

• tr-sube-denizbankasi.com
• bireysel-denizbank-sube-tr.com
• denizbankk-sube-tr.com
• denizbank-cep-tr.com
• online-denizbank-sube.com
• denizbank-cepte-tr.com
• acikdeniz-denizbanksube.com
• deniz-denizbank.com

And so on.

Not less, and got another Turkish bank - Halkbank.

Of course, I have no evidence that these domains are registered for illegal purposes. But such domain names are a kind of “Chekhov's gun”: once they will certainly “shoot”, because with their names in mind, it is logical to assume that they are designed to mislead the clients of these organizations.

With the domains that use the name of the bank, everything is more or less clear, but it also happens that the particle contains the name “bank” in combination with the name of the city or country.

Here, for example, at the beginning of this year, someone seriously decided to go into domain management and in a couple of weeks he created several hundred names like: *** bank.com, firstbankof ***. Com, nationalbankof ***. Com , "*** savingsbank.com" and simply "bankof ***. Com" (asterisks replace the name of some large city or country). Why did I decide that this is a domaining? Yes, simply if you go to one of these sites, you will see a page with an offer to buy a domain and a link to afternic.com, which is currently unavailable.



But it is much more interesting when a real fraudulent site emerges instead of parked domains, especially if they approached its creation creatively.

A good example of a creative approach is the site fpb-bank.ru. See for yourself: the name was taken from the lost “Finprombank” back in 2017, the design and content are completely copied from the Ukrainian “ShvidkoGroshi” (http://sgroshi.com.ua/).



The site offered to send scans of their documents for registration in your name one-day company dollar loan. Unfortunately, the resource disappeared as quickly as it appeared, so its copy was not saved even in the web archive. Which is characteristic, in this case the domain name was registered in advance, long before the appearance of the site itself.

Sometimes the excavations in the domain space present real surprises or even leave bewildered. But I hope to devote a separate article to the curious and mysterious events occurring in the network.