π¦ A Coordinated Attack on Trust
YourScam's intelligence crawlers have flagged a troubling pattern in this week's banking fraud reports. Multiple malicious URLs share a common thread: domains deliberately crafted to look like legitimate banking infrastructure.
The campaign centres on domains like bankefile.com and bankefiile.com β close enough to "bank file" to seem plausible in a URL bar, but hosting malware distribution pages tagged with the ClearFake campaign marker.
π What We've Found
| Domain | Severity | Status | Method |
|---|---|---|---|
| pnuwf.bankefile.com | π΄ High | Verified | Malware download |
| xetxx.bankefile.com | π΄ High | Verified | Malware download |
| qzkdr.bankefiile.com | π΄ High | Verified | Malware download |
All three use random-looking subdomains β a technique to evade blocklists. Each subdomain hosts a unique URL path, making it harder for security tools to pattern-match.
π¦ What Is ClearFake?
ClearFake is a malware distribution framework that uses fake browser update prompts to trick users into downloading malicious software. When you visit a compromised or malicious page, it displays a convincing overlay saying your browser needs an update. Clicking "Update" downloads an info-stealer or remote access trojan.
In the context of banking fraud, this is particularly dangerous because:
- The malware can capture banking credentials as you type them
- It can intercept two-factor authentication codes
- It may modify what you see on your banking website (showing fake balances while money is transferred)
- It operates silently β you may not know you're infected
π Banking Fraud in Context
While banking fraud accounts for 18 of our 1,637 total reports (just over 1%), the financial impact is disproportionately high. According to UK Finance, authorised push payment (APP) fraud alone cost UK consumers Β£257.5 million in the first half of 2025 β and the trend is rising.
The reports in our database are the tip of the iceberg β they represent infrastructure used to enable fraud, not individual victim cases.
π‘οΈ How to Stay Safe
- Never download browser updates from pop-ups β Real updates come through your browser's built-in update mechanism (Settings β About).
- Verify banking URLs carefully β Your bank's domain won't contain words like "bankefile". Bookmark your bank's real website.
- Use your bank's official app β Mobile banking apps are harder to compromise than browser sessions.
- Enable transaction notifications β Get alerts for every payment so you spot unauthorised activity immediately.
- Call your bank on their official number β If anything seems wrong, call the number on the back of your card. Never use a number from an email or text.
If you think you've been affected: Contact your bank's fraud team immediately. Under the PSR's mandatory reimbursement rules (October 2024), banks must reimburse APP fraud victims up to Β£85,000 within 5 business days.
Data sourced from YourScam.org's live intelligence pipeline, powered by URLhaus/abuse.ch and JaffaAi analysis.