An online banking fraud group calling itself the Disneyland Team uses Punycode-based domains to spoof banks and harvest credentials, often coordinating with Gozi 2.0/Ursnif malware to drain accounts. They employ a Web-based control panel, fake bank pages, and overlays to capture data, sometimes discussing DDoS as a distractor.
Keypoints
- The Disneyland Team uses phishing domains that spoof popular bank brands with Punycode to mislead victims.
- Domains are crafted to render as the legitimate brands in browsers, with examples like ameriprise.com rendered as a defanged punycode domain.
- A web-based control panel helps the group track victim credentials and manage dozens of Punycode domains (through 2022).
- The group appears Russian-speaking and relies on banking malware (Gozi 2.0/Ursnif) to steal credentials and facilitate transfers.
- Web injects are used historically to manipulate bank pages, but the attackers prefer convincing fake sites that relay activity to real banks.
- The malware overlays prompt users with messages and can stall or block access to accounts, sometimes discussing DDoS as a distraction tactic.
MITRE Techniques
- [T1566] Phishing – The Disneyland Team uses phishing domains that spoof popular bank brands using Punycode. Quote: “phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.”
- [T1036] Masquerading – The domains are crafted to look like real brands in the browser address bar. Quote: “Look carefully, and you’ll notice small dots beneath the “a” and the second “e”.” and “the domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.”
- [T1056.003] Web Input Capture – The fake bank overlay relays the victim’s browser activity to the real bank site, potentially forwarding MFA challenges. Quote: “the fake bank website overlaid by the Disneyland Team’s malware relays the victim’s browser activity through to the real bank website, while allowing the attackers to forward any secondary login requests from the bank, such as secret questions or multi-factor authentication challenges.”
- [T1555.003] Credentials in Web Browsers – Gozi specializes in collecting credentials for online banking. Quote: “Gozi specializes in collecting credentials, and is mainly used for attacks on client-side online banking to facilitate fraudulent bank transfers.”
- [T1499] Denial of Service – The article notes that cybercrime groups sometimes use DDoS to distract victims, though it’s unclear if Disneyland Team employs this tactic. Quote: “Cybercrime groups will sometimes launch distributed denial-of-service (DDoS) attacks on the servers of the companies they’re trying to rob — which is usually intended to distract victims from their fleecing.”
Indicators of Compromise
- [Domain] Phishing/brand-spoofing domains – ushank[.]com, singlepoint.xn--bamk-pxb5435b[.]com, login2.xn--mirtesnbd-276drj[.]com, xn--meripris-mx0doj[.]com, cliẹntșchwab[.]com, cliẹrtschwạb[.]com
- [Domain] Targeted bank brands referenced for context – ameriprise.com