Phishing Scams Target Canadian Bank Customers14 Bank Websites Spoofed as Part of Two-Year Campaign, Check Point Reports
Another day, another series of phishing attacks, as attackers turn their sights to customers of Canadian banks.
See Also: The 2020 Bad Bot Report
Researchers at security vendor Check Point Software Technologies warn that an attack group that is using Ukraine-based infrastructure has created hundreds of lookalike domains to target customers of more than a dozen Canadian banks.
All of the fake sites are designed to trick customers into inputting their username and password so attackers can attempt to access victims' accounts and drain them of funds.
Check Point says attackers have crafted phishing messages designed to spoof these 14 Canadian banks:
- American Express
- ATB Financial
- BMO Bank of Montreal
- CIBC Canadian Imperial Bank of Commerce
- Coast Capital Savings
- Desjardins Bank
- Rogers Communications
- Royal Bank of Canada
- Simplii Financial
- TD Canada Trust
- Wells Fargo
Check Point has not identified which crime group it suspects of being behind the attacks. But its researchers note that the attack domains originated from a Ukrainian IP address, meaning that one or more attackers rented Ukraine-based infrastructure. That, however, is no direct clue as to the attackers' actual whereabouts.
Researchers say they were able to get all of the malicious website domains taken down.
Phishing Attacks Stay Popular
Criminals' use of phishing attacks continues to stay strong. In April, security firm PhishLabs reported that the volume of phishing attacks grew by 40 percent over the course of 2018, with nearly one-third of all attacks targeting financial services firms or their customers.
Perhaps unsurprisingly, Canadian banking customers have been repeat targets of such campaigns. Last year, for example, following the announced merger of two Canadian financial services firms - Interac Association and Acxsys - attackers launched a phishing campaign, using messages that claimed to have been sent by Interac, in some cases, and in others by the Canada Revenue Agency.
Building a Better Phishing Message
Some phishing messages appear more to be more sophisticated than others. For the campaign newly detailed by Check Point, for example, beyond simply cutting and pasting a bank logo into messages, some of the attackers' emails purported to have come from Royal Bank of Canada, with attackers claiming recipients needed to submit their bank authorization code to renew a digital certificate they would need to continue to access RBC's online banking services. To try and amplify the psychological pressure for victims to comply with the message, the email said that unless they complied quickly, customers risked being locked out of their account (see Cryptocurrency Shakedown: Old Tactics, New Twist).
If recipients clicked on a link contained in the phishing email or an attached PDF, they were redirected to fake, lookalike sites, Check Point says. After entering their credentials, victims would be instructed to enter them again, then made to wait, while behind the scenes attackers attempted to immediately access and drain accounts, researchers say.
Again, these tactics are anything but new. And for this group of attackers - based on the IP addresses associated with their attack infrastructure - Check Point says that the group has been using the same tactics, albeit with different attachments, since at least 2017.
Same Old Tricks
One repeat crime maxim: If techniques or tactics are leading to a criminal payday, attackers have little impetus to change.
Evidence for this abounds, beyond the attack campaign detailed by Check Point. Last month, security firm Proofpoint detailed the actions of a newly discovered hacking group, which it said was using phishing emails - sometimes badged as being from the U.S. Postal Service - to try and plant malware on victims' devices and networks (see: Phishing Campaigns Spoof Government Agencies: Report).
Of course, attacks can also spoof legitimate sites in other ways. In August, for example, researchers at the Russian security firm Doctor Web uncovered a fake website for a VPN provider that was designed to spread a banking Trojan that can steal credentials to bank accounts (see: Fake VPN Website Delivers Banking Trojan).
Attackers mainly targeted English-speaking victims by using a cloned website of NordVPN that prompted visitors to download a trojanized version of the VPN software, Doctor Web reported.
Executive Editor Mathew Schwartz contributed to this report.