Typosquatting Domains. PHOTO: Cybercrime Magazine.

Cyber Deception: Will The Real Edward Jones Website Please Stand Up?

Bulk Domain Search for Hundreds of Detected “Edward Jones” Possible Typosquatting Domains

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Jul. 8, 2020

The financial industry has always been hardest hit when it comes to cyberattacks. It is often 300 times more likely to become a target compared to other sectors. But there is a slew of cybersecurity methods and best practices specifically for the financial services industry, and among them is early typosquatting protection and detection.

As an investment company looking to launch a bank, Edward Jones could have a good grasp of typosquatting dangers based on the hundreds of domain names related to Edward Jones Bank detected by our typosquatting data feed. The only remaining question is: Are these domains part of the financial company’s typosquatting protection strategy? Or is Edward Jones likely to be the target of an attack or brand abuse? A bulk domain search of the online properties can provide more context.

Edward Jones Typosquatting Domains

Edward Jones announced on Jul. 1, 2020 that it applied to set up the Edward Jones Bank. On the same day, our typosquatting protection tool detected 155 domain names that contain the following strings:

  • “edwardjonesbank”
  • “jonesbank”
  • “edjbank”
  • “edjones”

On 2 July, another batch of 136 typosquatting domains appeared in the Domain Name System (DNS). A total of 291 Edward Jones Bank domains were detected in two days. The domains used different generic top-level domains (gTLDs), including .com, .biz, .info, .expert, .mobi, and .org. A few examples are listed below:

  • edwarddjonesandbankco[.]info
  • edwardjonesbank[.]mobi
  • eddjonesbank[.]com
  • edjonesbank[.]expert
  • edwardjonesbankandco[.]org
  • edwardjonesbank[.]mobi
  • ejbankank[.]biz
  • ejbankank[.]org
  • ejbankank[.]info
  • edjbank[.]info
  • ejdbank[.]biz
  • edjonesandcobank[.]info
  • edjonesandcobank[.]com

Bulk Domain Search of the Typosquatting Domains

We are inclined to believe that Edward Jones registered several of these domains as part of its typosquatting protection strategy. However, some domains had redacted WHOIS records so we can’t say that the company owns 100 percent of the lookalike domains.

Here are some of our findings after running the domains on via a bulk domain search query:

  • Registrar name: The registrar of all domains except one is CSC Corporate Domains, Inc. One domain, edabank[.]ru, has RU-CENTER-RU as registrar.
  • Registrant name: 79 domains were registered under Edward Jones while 107 redacted their registrants’ names. The rest left the field blank.
  • Registrant organization: All domains except edabank[.]ru was registered under Edward D. Jones & Co. L.P.
  • Registrant address: 79 domains bear the address 201 Progress Parkway, Maryland Heights. On the other hand, 107 domain names redacted their registrants’ addresses while the rest left their addresses blank.
  • Registrant email address: The 79 domains registered under Edward Jones used domainadmin@edwardjones[.]com as their email address. The rest left out their email addresses.

Only 79 of the domain names had WHOIS records that matched that of edwardjones[.]com, the official domain of Edward Jones. They also had the same registrant name, organization, email address, and telephone number. For these 79 domains, we can say that Edward Jones registered them in anticipation of the bank they would be launching.

The financial institution could also own the rest of the domains but we can’t say for sure. There is no room for assumption in the cybersecurity realm, so we would advise Edward Jones’s clients, employees, and partners to take utmost caution when dealing with any of the questionable domains.

Typosquatting domains are particularly alarming as they could be used to deceive the clients of a financial institution into giving sensitive information. A small mistake when typing the company’s domain name could lead clients to a lookalike website that steals their data. Threat actors could also use the typosquatting domains to make scam and phishing emails more believable.

Institutions should be proactive by registering typosquatting domains before anyone else can. However, with thousands of possible combinations for a single company name, not to mention homograph attacks, it is best to employ tools that can detect typosquatting domains as early as possible. Bulk domain search queries, in addition, can help learn more about potentially suspicious domains.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.