Below are examples of domains used by two local banks here in Thailand, UOB and SCB. UOB has actually had a few more "phishing style" domains in the past, but they have retired e.g. "uobcyberbanking.com" and a few others.
The examples above are actually all legitimate domains, owned by respective bank. However, for a customer or end user, it can be very difficult to know which domains/sites are legitimate, and to distinguish legitimate domains from a fake phishing domain pointing to a spoofed website when so many different domain names are used in parallel.
I was wondering if even the banks' own staff can spot the difference, so I made an experiment. In the image above, there is an "scbcreditcard.com" domain that belong to the bank. A quick check with a domain registrar revealed that the [possibly better named] domain scbcreditcards.com was up for grabs for a few dollars.
Would an employee at the bank, say a customer service representative, know which one of the domains scbcreditcard.com and scbcreditcards.com is fake and which one is real?
I registered the domain scbcreditcards.com, and simply made it redirect to the bank's real site. I then sent off a baited question to the bank on Twitter:
I have a question, @scb_thailand. You have so many domain names, so I'm not sure which ones are legit. Is https://t.co/7mmAZqD6V2 real? pic.twitter.com/oEiN9UdXw3— KristoferA (@KristoferA) September 30, 2016
The bank eventually replied, but the reply was even more confused. I guess the person operating their twitter account doesn't even know what an internet domain name is, because they replied that only scb.co.th is the only domain name they use.
This is clearly not the case, as they in fact use many more domains as seen in one of my screenshots above. Had this been true, that they only used scb.co.th, that would have been good, and I wouldn't have written this blog post in the first place.
Regardless of the bank's confused answer, it is incredibly difficult for me and other customers [of banks and other companies] to spot a tiny difference like that, especially when so many different domains are used by the same company for their different online services.
In this case, at first I made the newly registered domain scbcreditcards.com redirect to the bank's own (legit) site scbcreditcard.com, but I could have pointed it anywhere, as phishers and other scammers do. I later redirected it to this page, and finally to HIBP.
Being in control of the domain scbcreditcards.com also means I can buy an SSL certificate for it. Just for the sake of testing/demonstrating this in action, I spent another $10 for a DV certificate for the same domain. I wonder if the CA has enough checks in place to catch this...
Note: the bank's legitimate site at http://www.scbcreditcard.com doesn't even support https in the first place, which is a bit weak for a site in any way affiliated with a credit card issuer. Even if the site doesn't provide any access to cardholder data, I would expect a site like that to do https only, with HSTS.
I think it would make a lot of sense for companies to stick to one main domain, and if needed use subdomains under that. If all UOB's services was under "uob.co.th", and all SCB's services were under scb.co.th then it would immediately be more difficult for phishers to set up fake websites under spoof domains.
In the meantime, consumers will have to try to figure out on their own whether a website they're accessing is legitimate or not, and some will continue to fall for spoof/fake/phishing sites. Companies that set up a new domain for every department/product/service is partially to blame when their customers get tricked; it is simply not possible for end users and consumers to spot the difference between a legitimate site and a fake site when the same company use 5 different domains for closely related services.
Does your company have too many different domains? Why? Would it make sense to consolidate them?