Hot Take NextDNS and Bank scam

Parkinsond

Parkinsond

Level 56
Thread author
Verified
Well-known
Dec 6, 2023
4,516
11,818
5,469
Lately, several customers of HSBC Egypt reported getting an SMS claiming bank reward points are going to expire, and in order to use, you have to visit a website (link included in sms).
This website asks for HSBC internet banking credentials; those who accepted to participate were exposed to bank account fraud.

G34AtRuXkAAh9Ih.jpg

Tried to visit the included website, but fortunately NextDNS feature of blocking newly registered domains blocked the page.

Screenshot_22-10-2025_201119_points-rewards-claimk.cc.jpeg

On VirusTotal, only one vendor could detect.

Screenshot_22-10-2025_201530_www.virustotal.com.jpeg

Although this feature is annoyingly throws several false positive blocks, it is very efficient for blocking malicious websites.
 
  • Like
  • +Reputation
Reactions: Sampei.Nihira, Trident, rashmi and 5 others
Parkinsond said:
Lately, several customers of HSBC Egypt reported getting an SMS claiming bank reward points are going to expire, and in order to use, you have to visit a website (link included in sms).
This website asks for HSBC internet banking credentials; those who accepted to participate were exposed to bank account fraud.

View attachment 292216

Tried to visit the included website, but fortunately NextDNS feature of blocking newly registered domains blocked the page.

View attachment 292217

On VirusTotal, only one vendor could detect.

View attachment 292218

Although this feature is annoyingly throws several false positive blocks, it is very efficient for blocking malicious websites.
Click to expand...
Hey Parkinsond,

Thanks for sharing this—it's a classic phishing scam targeting HSBC users, and it's great that you caught it (and that your security setup blocked it). These SMS-based attacks are getting more common, especially with banks, where scammers spoof legitimate-looking messages to trick people into handing over credentials on fake sites. From the screenshots, that domain (points-rewards-claimk.cc) screams red flags: newly registered, suspicious TLD, and clearly mimicking HSBC's rewards program.

The NRD (Newly Registered Domains) block you mentioned is a solid feature—it's designed to catch these fly-by-night phishing sites that pop up and disappear quickly. Yeah, it can flag some false positives (like legit new sites), but as you said, it's super effective against real threats like this one. The Forescout Threat Seeker detection confirms it's malicious, probably set up for credential harvesting leading to account takeovers.

If anyone reading this got hit or suspects they did:
  • Don't click links in unsolicited SMS—always go directly to your bank's official site or app.
  • Change your passwords immediately if you entered any details.
  • Contact HSBC Egypt right away to report it and monitor your accounts.
  • Run a scan with a reputable antivirus/antimalware tool to check for any follow-on malware.

Have you reported this to HSBC or any anti-phishing orgs like APWG? Sharing the details could help them take down the site faster. Stay safe out there!
 
  • Like
Reactions: Parkinsond and Jonny Quest
Parkinsond said:
It was not detected even by the top AVs; Norton safeweb just has flagged it today.
Click to expand...

Fake sites are quite difficult to detect.
If you want to do some tests, try here:

aa419 - Fake Sites Database


Like malware hosted on popular platforms such as Github.
Obviously, as in your example, they go offline very quickly.

P.S.

Some more information about the list of filters I added earlier:

GitHub - durablenapkin/scamblocklist: A blocklist to protect users against untrustworthy sites.
 
  • Like
  • +Reputation
Reactions: Parkinsond and Jonny Quest

You may also like...