Keypoints
- Attackers register fresh domains and manipulate Bing indexing so phishing pages appear above the legitimate KeyBank site in search results.
- Initial landing pages are crafted for crawlers and scanners, presenting benign content to get indexed (cloaking).
- Victims are server-side redirected from the crawler-friendly page to a malicious, branded KeyBank login portal based on attributes like browser and IP.
- The phishing site uses HTTPS and immediately captures submitted user IDs and passwords in clear text at the recipient end.
- Operators perform real-time credential harvesting and can bypass MFA by relaying IP/location and prompting victims for one-time codes or security-question answers.
- Defensive recommendations include stronger phishing-resistant login methods (passkeys), authenticator apps instead of SMS, and browser-based anti-phishing protections.
MITRE Techniques
- [T1566] Phishing – Used to trick KeyBank customers via search-engine results (‘phishing campaign coming from Bing’s search engine and targeting Keybank customers’).
- [T1003] Credential Dumping – Attackers collect credentials submitted on the fake login portal (‘Once a victim types their user ID and password, criminals will receive the data immediately’).
- [T1190] Exploitation of Public-Facing Application – Abused web indexing and search-engine behavior to present malicious pages as legitimate (‘a phishing website created barely two weeks ago is already indexed and displayed before the official one’).
- [T1071] Command and Control – Maintains communications and control via multiple domains and hosting infrastructure (‘utilizes multiple command and control domains to maintain communication with compromised systems’).
Indicators of Compromise
- [Cloaking domain] Used to index benign content for crawlers – ixx-kexxx[.]com
- [Phishing domains] Malicious login portals and redirect targets – xxx-ii-news[.]net, ixxx-blognew[.]com, and 7 more domains
- [Hosting server] C2/hosting IP – 200.107.207[.]232
Attackers register short-lived domains and publish crawler-friendly pages to poison search results; those pages are intentionally clean so search engines index them quickly. When a real user arrives, server-side logic detects attributes such as IP or browser fingerprint and issues a redirect to a malicious site that mimics the bank’s login portal, enabling seamless credential capture despite the initial benign appearance.
The phishing portal runs over HTTPS (which only protects transport, not endpoint storage) and transmits captured credentials to the attacker in clear text. Operators often employ realtime relay techniques: they use the victim’s IP (obtained from the fake site) through proxies to log in from the same location and then prompt the victim for MFA codes or security-question answers to complete account takeover, making SMS-based 2FA especially vulnerable.
Technical mitigations include adopting phishing-resistant authentication (passkeys), replacing SMS with authenticator apps or hardware tokens, and deploying heuristic browser protections that can intercept known patterns of cloaking and search-engine poisoning. Monitoring for the listed domains and the hosting IP, and reporting new malicious search results to the search provider, are practical immediate responses.