Spoofing Banks is a Balancing Act

DomainTools researchers identified 291 domains spoofing “natwest” and investigated connected infrastructure using Domain Risk Scores and guided pivots; they focused on natwestonline87.ml (high risk) and related domains (servicepaypal759.ml, royalbankservice264.ml, servicemessage368.ml), enumerating shared IPs, name servers, SSL hashes/subjects and noting associations with spoofed PayPal and Royal Bank domains. The report documents risk-score changes, passive DNS records (mail. and www. subdomains), and that VirusTotal returned a 0 detection for the observed www site, concluding that monitoring these artifacts can help detect and block this phishing activity.