'Disneyland Team:' No, Not The Cute Kind — These Guys Are Out To Steal Your Bank Details With Malware

A financial cybercrime group calling itself the Disneyland Team has been leveraging visually confusing phishing domains that spoof popular bank brands using Punycode. 

What Happened: Alex Holden, the founder of cybersecurity consulting firm Hold Security, has analyzed the group's operation. This cybercrime group has been using a web-based control panel to keep track of victims' credentials, according to Krebs on Security. 

Holden has gained access to the panel, which reveals the gang has been operating dozens of Punycode-based phishing domains for the better part of 2022. Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.

See Also: Finnish Hacker Charged With Extorting Psychotherapy Clinic, Used Patients' Medical Records To Seek Ransom

The Disneyland Team uses common misspellings for leading banks in its domains. It also uses Punycode to make its bogus bank domains look more legit. 

Take U.S. financial services firm Ameriprise for example. Ameriprise uses the domain ameriprise.com. The Disneyland Team's domain for Ameriprise customers is ạmeriprisẹ[.]com (the way it displays in the browser URL bar). The brackets are added to defang the domain. 

On noticing carefully, one can make out small dots under the "a" and the second "e," which can be easily mistaken for a spec of dust on a computer or mobile screen. 

According to Holden, the Disneyland Team is Russian speaking or at least based in Russia. However, it is not simply a phishing gang but a group using phony bank domains in convergence with malicious software discreetly installed on a victim's computer, the report noted. 

Read Next: The Growing Email Scam That's Almost Impossible To Reverse