Lurking Behind the Scenes: Keylogger Sites Impersonate Trusted Brokerage Firms for Account Takeover
In an era where digital security is rapidly evolving, cybercriminals are adapting just as quickly – finding new ways to exploit trust and user behaviour. Recent campaigns targeting stock trading accounts have revealed a critical truth: attackers are no longer just stealing credentials – they are orchestrating full account takeovers to commit high-impact financial fraud.
These attacks are financially motivated, aiming to take over user accounts and execute fraudulent trades for profit. This blog explores how threat actors are lurking behind the scenes – using keylogger sites that impersonate trusted brokerage firms to silently capture user input and hijack sessions. As the financial services industry continues to digitize, understanding these emerging threats is more important than ever.
The “Evil in Between” – Smishing Leads to Account Takeover
Since May 2025, Dark Lab has observed SMS phishing (“smishing”) activity impersonating various brokerage firms to target Hong Kong users. This includes the discovery of over 70 newly registered domains impersonating InteractiveBrokers via our continuous domain monitoring services. These messages are crafted to appear as legitimate communications from trusted securities brokerage firms such as InteractiveBrokers and Charles Schwab – urging users to update their tax-related form(s) (e.g., W-8BEN) to avoid service suspension.
Upon clicking the link, the victim is directed to the phishing site, in this case impersonating InteractiveBrokers:
The phishing site poses as an exact replica of InteractiveBroker’s login portal, deceiving the victim into trusting the site and inputting their username and password combination. It closely mimics not only the visual layout of the website, but further replicates the same login flow (e.g., provide credential, then redirected to page requesting multi-factor authentication). In some cases, the phishing site was observed to further redirect to another unrelated site impersonating InteractiveBrokers (e.g., interactivebrokers.2391[.]ltd) which we assessed was an attempt to prevent detection. Analysis of the phishing sites revealed them to be operating as a keylogger, intended to capture and record a users’ keystrokes.
When a user submits their valid username and password, the site captures the users’ keystrokes which triggers an automated process to redirect the obtained credentials to login via the legitimate InteractiveBrokers portal. However, in order to complete their login, the threat actor requires the victim to authenticate their login – via the multi-factor authentication (“MFA”) verification notification issued via the InteractiveBrokers mobile application.
To bypass MFA verification, the attacker has set up the phishing site to prompt the user to ‘verify’ their login attempt via their actual InteractiveBrokers mobile app – directly impersonating the actual InteractiveBrokers login process – after supplying their credentials. The user proceeds to check their InteractiveBrokers mobile app and subsequently clicks to verify the login, assuming the MFA notification is intended for their login attempt – instead resulting in the threat actor’s successful login and subsequent account takeover.
A Modern Take on the Classic “Pump and Dump” Scheme?
Typically, phishing attacks are designed to harvest credentials – usernames, passwords, or even multi-factor authentication codes – which are then sold or reused for broader access. But in this case, we’re seeing a far more calculated and opportunistic approach. Instead of simply stealing login details, attackers are hijacking authenticated sessions and directly exploiting access to stock trading accounts.
Once inside, these accounts are used as tools in “pump-and-dump” schemes – a form of market manipulation where attackers artificially inflate the price of low-volume stocks by placing coordinated buy orders across multiple compromised accounts. These fraudulent trades are made on the day of access close to the daily trading hour closure (e.g., close to 4:00PM HKT) – making it difficult for victims to become aware of the unauthorised trade and contact the relevant authorities in time to remediate (e.g., cancel) the transaction. After driving up the price, they sell off their own holdings at a profit, leaving legitimate users with losses as the stock value crashes. This weaponisation of hijacked accounts marks a dangerous evolution in phishing tactics – one that blends social engineering with financial fraud at scale.
Just How Widespread Is This?
While this blog focuses on the InteractiveBrokers impersonation campaign, we emphasize that this is not an isolated incident. Rather, it is part of a broader, opportunistic, and widespread attack pattern targeting various securities brokerage firms in Hong Kong.
| Phishing Domain | Brand Impersonated |
| yc1113[.]com | Bright Smart Securities |
| yc1104[.]com | Bright Smart Securities |
| yc1103[.]com | Bright Smart Securities |
| yc1102[.]com | Bright Smart Securities |
| yc45742[.]com | Bright Smart Securities |
| yc46542[.]com | Bright Smart Securities |
| yc7897456151[.]com | Bright Smart Securities |
| yc94452[.]com | Bright Smart Securities |
| yc68888[.]com | Bright Smart Securities |
| yc89999[.]com | Bright Smart Securities |
| yczq2727[.]com | Bright Smart Securities |
| yczq626[.]com | Bright Smart Securities |
| yczq223[.]com | Bright Smart Securities |
| ycxha[.]shop | Bright Smart Securities |
| yccom[.]shop | Bright Smart Securities |
| yczjhk[.]com | Bright Smart Securities |
| security-center-schwab[.]23601[[.]]rip | Charles Schwab |
| schwabhk[[.]]net | Charles Schwab |
| guangdazq[.]vip | EverBright |
| futubul[[.]]life/hk | Futu |
| futunnhkg[[.]]cc/tax | Futu |
| futunn-hkg[[.]]top/tax | Futu |
| futubull[.]life/hk | Futu |
| futunn-hkg[.]top/tax | Futu |
| futu[.]it[.]com/hk | Futu |
| futunn-hk[.]top/tax | Futu |
| futunnl[.]sbs/hk | Futu |
| futunn[.]sbs/tax | Futu |
| futuhk[.]top/hk | Futu |
| huatai8899[.]vip | Huatai |
| huatai215[.]vip | Huatai |
| huatai7898[.]vip | Huatai |
| yagaskilz[.]com | SoFi |
| webdock[.]cloud | SoFi |
| sofi-banking[.]com | SoFi |
| login-csx[.]pages[.]dev | SoFi |
| sofibank[.]cc | SoFi |
| login3-ejh[.]pages[.]dev | SoFi |
| s0fi[.]online | SoFi |
| sofie[.]pages[.]dev | SoFi |
| 4everland[.]app | SoFi |
| interactivebrokers[.]8148[[.]]ltd | InteractiveBrokers |
| interactivebrokers[.]1014[.]ltd | InteractiveBrokers |
| hk-ibkr[[.]]net | InteractiveBrokers |
| ibkrlogc[[.]]top | InteractiveBrokers |
| ibkr-rm[[.]]com | InteractiveBrokers |
| interactivebrokers-hk[.]icu | InteractiveBrokers |
| ibkrlne[.]info | InteractiveBrokers |
| ibkret[.]net | InteractiveBrokers |
| ibkrbms[.]net | InteractiveBrokers |
| hk-ibkr[.]net | InteractiveBrokers |
| hkibkr[.]net | InteractiveBrokers |
| ibkrhk[.]net | InteractiveBrokers |
| interactivebrokerss[.]net | InteractiveBrokers |
| moibkr[.]net | InteractiveBrokers |
| ibkrsg[.]net | InteractiveBrokers |
| ibkr-dse-gpt[.]online | InteractiveBrokers |
| hk-ibkr[.]org | InteractiveBrokers |
| hkibkr[.]org | InteractiveBrokers |
| moibkr[.]org | InteractiveBrokers |
| ibkrsg[.]org | InteractiveBrokers |
| interactivebrokers-us[.]shop | InteractiveBrokers |
| interactivebrokers-hk[.]shop | InteractiveBrokers |
| ibkrmg[.]site | InteractiveBrokers |
| ibkrlni[.]site | InteractiveBrokers |
| ibkrlogin[.]top | InteractiveBrokers |
| interactivebroker[.]top | InteractiveBrokers |
| ibkrlogi[.]top | InteractiveBrokers |
| hk-ibkr[.]top | InteractiveBrokers |
| ibkrhk[.]top | InteractiveBrokers |
| ibkrlogc[.]top | InteractiveBrokers |
| ibkrlogm[.]top | InteractiveBrokers |
| uibkr5[.]top | InteractiveBrokers |
| ibkrloi[.]top | InteractiveBrokers |
| 5ibkr0[.]top | InteractiveBrokers |
| ibkr-help[.]top | InteractiveBrokers |
| ibkrlon[.]top | InteractiveBrokers |
| interactivebrokeris[.]top | InteractiveBrokers |
| ibkrb2[.]top | InteractiveBrokers |
| ibkrz[.]top | InteractiveBrokers |
| ibkrmod[.]top | InteractiveBrokers |
| ibkrgin[.]top | InteractiveBrokers |
| ibkr-hk[.]top | InteractiveBrokers |
| ibkr-mbq[.]top | InteractiveBrokers |
| ibkrmg[.]top | InteractiveBrokers |
| ibkr-nrb[.]top | InteractiveBrokers |
| ibkr-uec[.]top | InteractiveBrokers |
| ibkr-yyk[.]top | InteractiveBrokers |
| ibkr-zvx[.]top | InteractiveBrokers |
| ibkrlni[.]top | InteractiveBrokers |
| interactivebrokerls[.]top | InteractiveBrokers |
| interactivebrokersss[.]top | InteractiveBrokers |
| interactivebrokers[.]vip | InteractiveBrokers |
| ibkrmor[.]vip | InteractiveBrokers |
| hk-ibkr[.]xyz | InteractiveBrokers |
| ibkr[.]xyz | InteractiveBrokers |
| moibkr[.]xyz | InteractiveBrokers |
| ibkr-api[.]xyz | InteractiveBrokers |
| ibkr-mgr[.]xyz | InteractiveBrokers |
| ndcdyn[.]interactivebrokers[.]com[.]sso-login[.]space | InteractiveBrokers |
| ndcdyn[.]interactivebrokers[.]com[.]sso-login[.]ink | InteractiveBrokers |
| ndcdyn[.]interactivebrokers[.]com[.]sso-login[.]work | InteractiveBrokers |
| ibkrapp02[.]com | InteractiveBrokers |
| ibkrapp07[.]com | InteractiveBrokers |
| ibkr-global[.]org | InteractiveBrokers |
| ibkrmoo[.]top | InteractiveBrokers |
| ibkrusa-a[.]top | InteractiveBrokers |
| com-interactivebrokerseo[.]cfd | InteractiveBrokers |
| com-interactivebrokerser[.]cfd | InteractiveBrokers |
| com-interactivebrokersio[.]cfd | InteractiveBrokers |
| ndcdyn[.]interactivebrokers[.]com[.]sso-login[.]club | InteractiveBrokers |
| ndcdyn[.]interactivebrokers[.]com[.]sso-login[.]xyz | InteractiveBrokers |
| interactivebrokers[.]8148td | InteractiveBrokers |
| interactivebrokers[.]1014[.]ltd | InteractiveBrokers |
| ibkr-rm[.]com | InteractiveBrokers |
| ibkrmg[.]lol | InteractiveBrokers |
| ibkrmog[.]lat | InteractiveBrokers |
| ibkrlgin[.]lat | InteractiveBrokers |
| ibkrlog[.]cc | InteractiveBrokers |
Conclusion
This attack highlights how modern threats rely less on breaking systems and more on bending user behaviour to the attacker’s will. By deploying keylogger sites that impersonate legitimate brokerage platforms, threat actors are silently capturing credentials and leveraging real-time user actions – such as MFA approvals – to gain full access to trading accounts.
These tactics are not isolated; similar campaigns have been observed impersonating other websites and e-commerce platforms, such as Carousell. The use of hijacked accounts in pump-and-dump schemes marks a dangerous evolution in financial cybercrime – one that blends social engineering, technical stealth, and market manipulation. As the financial services industry continues to modernize, it must invest in layered defences, phishing detection, and user education to stay ahead of these increasingly sophisticated threats. In the end, it’s not just about protecting credentials – it’s about protecting trust.
Recommendations
For Individuals
- Be cautious with SMS links: Avoid clicking on links in unsolicited messages, especially those urging urgent action related to financial accounts.
- Verify before you trust: Always access brokerage platforms by typing the URL directly or using a trusted app – not through links in messages.
- Enable device-bound passkeys: Where possible, use passkeys that are tied to a specific device and require biometric verification.
- Watch for unusual prompts: Be sceptical of unexpected MFA prompts or login verifications.
- Monitor account activity: Set up alerts for logins, trades, and fund transfers to detect unauthorized activity early.
- Report suspicious messages: Notify your brokerage firm if you receive suspicious communications claiming to be from them. If you attempted logon via a suspicious site, immediately change your password.
For Financial Institutions
Preventive Measures:
- Use short-lived access tokens: Limit token lifespan (e.g., 15–30 minutes) to reduce the risk window if a token is compromised.
- Bind tokens to client context: Associate tokens with IP address, device fingerprint, or User-Agent to prevent reuse from different environments.
- Store tokens securely: Use HTTP-only, SameSite cookies instead of localStorage to protect against XSS and CSRF attacks.
- Enforce secure transmission: Require HTTPS for all traffic and apply Secure and Strict-Transport-Security headers to prevent token leakage.
- Added layer of MFA for new devices: Require an added layer of authentication (e.g., both mobile and email verification) for login attempts from new devices and/or IP addresses.
- Trigger step-up authentication: Require re-authentication or biometric verification for high-risk actions like trading or fund transfers.
- Take down phishing infrastructure: Work with threat intelligence providers and law enforcement to identify and dismantle phishing sites quickly.
- Educate users on phishing tactics: Train users to recognize and report phishing attempts, especially those impersonating financial institutions.
- Timeout limit for logon sessions: Enforce a timeout limit for each login session (e.g., 15 minutes) to minimise the window of opportunity for attackers to exploit taken over accounts.
Detective Measures:
- Continuous Brand Reputation Monitoring: 24×7 young domain monitoring to proactively uncover potential phishing campaigns impersonating your organisation.
- Monitor for anomalous behaviour: Detect unusual login patterns such as rapid IP switching, logins from new geographies, login attempts to multiple accounts via the same IP within a short period of time, or abnormal trading activity.
- Maintain a token denylist: Revoke access tokens immediately when suspicious activity is detected or a session is flagged as compromised.
- Log and audit token usage: Track token activity and integrate with SIEM systems to alert on suspicious behaviour or token reuse.
Further information
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.