03 Aug Domain Spoofing: Is Bank of America’s Typosquatting Protection Enough?

This might just be the tip of the iceberg

– Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Aug. 3, 2020

Bank of America is no stranger to human error and security issues. In April this year, amid the coronavirus pandemic, the bank possibly suffered a data breach while processing Paycheck Protection Program (PPP) loan applications.

Like other financial institutions, the bank also appears to be a common target of typosquatting. We talked about this in a previous post that analyzes typosquatting domains detected in relation to Bank of America’s settlement case.

But this might just be the tip of the iceberg.

In the past months, we detected an additional 200+ Bank of America lookalike domains using a new similarity index technique. Let’s take a closer look.

200+ Typosquatting Bank of America Domain Names

From 1 May to 5 July 2020, We picked up 205 domain names containing the text string “bankofameric.” We used fuzzy matching to detect the domains, so even those that do not fully match the search term were included in the results. We also rated the typosquatting domains’ relevance to the text string and found that the results matched the term with similarity percentages ranging from 72 percent to 100 percent.

We looked closer into the typosquatting domains with similarity ratings above 86 percent. Here is the list:

• bankofamerica[.]icu            (100%)
• bankofamerica[.]ooo           (100%)
• bankofamerica4[.]com        (92.86%)
• bankofamericae[.]com        (92.86%)
• bankoflamerica[.]com         (92.86%)
• bankofamericea[.]com        (92.86%)
• bankofamerifca[.]com         (92.86%)
• bankofamferica[.]com         (92.86%)
• bankhofamerica[.]com        (92.86%)
• bankrofamerica[.]com         (92.86%)
• bankvofamerica[.]com         (92.86%)
• bankofamberica[.]com         (92.86%)
• bankofamericxa[.]com         (92.86%)
• bankoffmerica[.]com            (92.31%)
• bank0famerica[.]online        (92.31%)
• bankoamerica[.]best             (92.31%)
• bankoamerica[.]group          (92.31%)
• banofamerica[.]link               (92.31%)
• bnkofamerica[.]us                 (92.31%)
• bank0famerica[.]click           (92.31%)
• bankofamerika[.]net             (92.31%)
• baokofamerica[.]com           (92.31%)
• bankofamer1ca[.]com          (92.31%)
• banbofamerica[.]com           (92.31%)
• bankofamericaus[.]com       (86.67%)
• bankofamericaco[.]com       (86.67%)
• bankofamericaes[.]com       (86.67%)
• bankofameiricas[.]com        (86.67%)
• bankofamericain[.]com        (86.67%)
• banks-ofamerica[.]com        (86.67%)
• boaankofamerica[.]com       (86.67%)
• banksofamerican[.]com       (86.67%)
• bankerofamerica[.]com        (86.67%)
• banksofamericas[.]net.         (86.67%)
• bankoffamericas[.]com.        (86.67%)
• idbankofamerica[.]com         (86.67%)

The domain names that got a rating of 100 percent only differed from that of the legitimate Bank of America domain because of their change in top-level domain (TLD) extension. Using a different TLD is a primary typosquatting tactic.

To provide more perspective, the following are the last 20 domains with similarity ratings below 77 percent:

• bofamerica[.]site                    (76.92%)
• bofamerica[.]click                  (76.92%)
• bankcomerica[.]com              (76.92%)
• bnoamerica[.]com                  (76.92%)
• bankifmaerica[.]com              (76.92%)
• bankofmaeroca[.]com            (76.92%)
• babnofamarica[.]com            (76.92%)
• back-america[.]com               (76.92%)
• backnamerica[.]com              (76.92%)
• bofaofamerica[.]com             (76.92%)
• bankofamericazoom[.]com   (76.47%)
• bankofamericadept[.]com    (76.47%)
• bankofnkofamerica[.]com    (76.47%)
• westbankofamerica[.]ru       (76.47%)
• bankofamerica-app[.]com    (76.47%)
• sign-bankofamerica[.]com   (72.22%)
• issu-bankofamerica[.]com   (72.22%)
• issu-bankofamerica[.]com   (72.22%)
• bankofamericapayid[.]com  (72.22%)

A majority of these domains can still be considered Bank of America lookalike domains, and the uninitiated could easily fall for phishing scams that use any of them.

Aside from the fuzzy search results, some domain names that had Punycode characters were also detected, such as the following:

• b̔ankofamerica[.]ws       (xn--bankofamerica-bth[.]ws)
• ibankofamеrica[.]ws      (xn--ibankofamrica-43k[.]ws)
• b̔ankofaᴍerica[.]ws        (xn--bankofaerica-g9g6024g[.]ws)

Punycode domain spoofing attacks are hard to detect, as they take advantage of the similarities between Unicode and ASCII characters. The character “b̔” in the first domain on the list above, for example, has an inconspicuous notation above it.

Bank of America’s Fight against Domain Spoofing: What We Know

Typosquatting is not new, especially to financial sector companies. Most banks, including Bank of America, fight against the threat by registering thousands of lookalike domains in anticipation of attacks. How did we know?

According to WHOIS Lookup, the bank uses the following WHOIS details for bankofamerica[.]com:

• Domain name: Domain Administrator
• Domain organization: Bank of America
• Registrant address: 5000 US HWY 17, Fleming Island, Florida, United States
• Registrant email address: domain[.]administrator@bankofamerica[.]com

We ran these data points on a reverse WHOIS search, and 8,595 lookalike domain names appeared. These domains include bancoamerica[.]us, bancoamerican[.]com, bancofamerica[.]net, and bancofamericafunds[.]com. Indeed, Bank of America is fighting domain spoofing by preventing threat actors from getting hold of copycat domain names.

But apparently, this is not enough. With over 2,000 TLDs and countless ways to misspell the string “bankofamerica,” the number of possible typosquatting domains is overwhelming.

Looking into the WHOIS Records of the Typosquatting Domains

You may be wondering: Are the typosquatting domains above already a part of Bank of America’s typosquatting protection strategy?

Looking at the WHOIS records of the lookalike domains can help confirm or refute this question, so we ran them through a bulk WHOIS lookup. However, of all the domains, only one (bankofamerica4[.]com) had a WHOIS record whose contents matched that of Bank of America.

The WHOIS records of 69 domains have either been redacted for privacy or used privacy protection services. The top 5 registrant countries were the U.S., Panama, Canada, Nigeria, and China.

Scrutinizing the Trustworthiness of the Lookalike Domains

Without further analysis, we can say that only one domain can be trusted at this point — bankofamerica4[.]com — the one belonging to Bank of America as evidenced by its WHOIS record. The rest of the domains are suspicious as they imitate the legitimate domain of a reputable institution.

We can only speculate about their owners’ intentions, but some typosquatting domains are used in phishing and spam campaigns. We have also seen them used in business email compromise (BEC) scams.

For utmost protection, organizations should warn their staff about copycat domains and probably block these from entering their network. However, for discussion and to satisfy our curiosity, we ran some of the domains on VirusTotal. We found that the following were tagged “malicious” due to possible involvement in phishing and spamming activities:

• bankofamerica[.]icu
• banofamerica[.]link
• bnkofamerica[.]us
• bank0famerica[.]click
• bankofamerika[.]net
• check-bankofamerica[.]com
• signon-bankofamerica[.]com
• bankofamerica-com[.]com
• secureonline-bankofamerica[.]com

On the other hand, the domains below were deemed “suspicious” by at least one engine:

• bankofamerica[.]ooo
• bankofamericae[.]com

Seven of the malicious and suspicious domains had at least a 90 percent fuzzy search similarity rating. Note, too, that even those that weren’t tagged “suspicious” or “malicious” should not necessarily be trusted.

Take, for instance, flagscapebankofamerica[.]com, which was deemed “clean” by VirusTotal at the time of this writing. According to a DNS lookup, it resolves to IP address 199[.]59[.]242[.]153. This IP address had been reported 121 times for various types of abuse on AbuseIPDB. The fact that it is a typosquatting domain and resolves to a malicious IP address should raise a red flag.

As the above case study shows, rigorous and effective typosquatting protection strategy involves early typosquatting detection. By detecting lookalike domains as they appear in the Domain Name System (DNS), organizations can instigate preventive measures before threat actors can weaponize them.