Lookalike domains targeting a regional bank — caught before launch

In early March 2025, Notmining Platform flagged an unusual cluster of domain registrations — multiple domains registered within a short window, all visually similar to the brand name of a regional bank operating in southern Europe. The bank's security team received the first alert shortly after the first domain was registered. No phishing emails had been sent yet.

Background

The bank had been using Notmining Platform for continuous domain and web monitoring for approximately six months. To start monitoring, the team only had to provide the primary domain and a brand keyword; from there, the platform began surfacing lookalike registrations and common fraud-related variations.

The bank had previously experienced a smaller phishing incident — a single lookalike domain that remained live for hours before a customer reported it. That incident prompted them to invest in proactive monitoring. This case was the first major test of that investment.

The attack

Early in the morning, an attacker began registering domains. The pattern was systematic: variations of the bank's brand name combined with terms like "secure", "login", "online", "banca" and "acceso". Some used hyphens, others substituted letters (replacing "i" with "1", "o" with "0"), and several used country-code TLDs to appear locally legitimate.

This is a common pre-attack pattern: attackers register a batch of domains in advance, then selectively deploy phishing pages on the most convincing ones while using the others as backup or for A/B testing different lures. The window between registration and first victim is typically a matter of hours.

How Notmining helped

Notmining Platform's domain monitoring helps identify recent registrations that resemble a brand, including common variations and combinations with fraud-related terms. When a relevant domain appears, an alert is generated with the details needed to review the case.

In this case, the first domain triggered an alert shortly after registration. Over the morning, additional related domains were identified and grouped to support review and prioritization by the security team.

The response

The bank's security team received the consolidated alert shortly after. The alert included:

• A full list of domains with registration timestamps
• Registrar details and WHOIS data for each domain
• Relationship signals across the domains (naming patterns, registration window, registrar)
• Guidance for follow-up (review, registrar reporting and monitoring)

The team submitted abuse reports to the registrars shortly after receiving the alert. By the end of the day, most of the domains had been suspended. The remaining ones were resolved over the following days after escalation through the registrar's abuse process.

Why early detection matters

The critical insight from this case is timing. Phishing attacks have a predictable lifecycle: domain registration → infrastructure setup → campaign launch → victim exposure. Most detection methods operate at the campaign launch stage — when phishing emails are already in inboxes or when a customer reports a suspicious link.

Visibility at the domain registration stage — the earliest possible point in the attack lifecycle — creates room to act before the attacker deploys infrastructure and launches the campaign. In this case, that head start helped contain the operation before customers were impacted.

Key takeaways

• Domain registration monitoring catches attacks at the earliest possible stage — before any victim is reachable.
• Coordinated domain clusters (multiple registrations in a short window) are a strong signal of a planned campaign.
• Clear evidence in alerts (domains, timestamps, registrar/WHOIS) reduces response friction.
• Proactive monitoring significantly reduces reaction time.
• The window between domain registration and first victim is typically a matter of hours — detection must happen within that window.