Canadian banks are being impersonated in a phishing campaign targeting both individuals and businesses via a large-scale infrastructure shared with previous attacks going back to 2017 and pointing to the same attackers.
The infrastructure behind these Canadian focused attacks includes hundreds of phishing websites designed to mimic major Canadian banks' websites as part of an effort to steal user credentials from the financial institutions' clients.
To get the targets on their phishing landing pages, the attackers use custom-crafted and legitimate-looking email messages with malicious PDF attachments.
The attachments are also designed to look like official communications from the potential victim' banks, including bank logos and almost flawless grammar.
Attackers also leverage urgency-inducing language, a highly common tactic in phishing attacks, warning victims that their accounts will be locked if no action is taken within the next two days.
Swiping the banking credentials
In the phishing emails, the attackers ask their victims to log into their bank accounts as urgently as possible to update various accounts related information.
After the links embedded in the PDF attachments are clicked, the targets will be sent to a phishing landing page that clones the bank's real login page where they are "asked to enter their sign-in ID password in the two-factor authentication token provided by the bank."
The attackers used a quick technique to clone the banks' login pages, adding a screenshot of their website on the landing pages used to collect their victims' credentials, with text boxes on top of the login fields where the information has to be entered.
However, as the Check Point researchers that discovered this ongoing phishing campaign found, "while the victim is waiting for the request to be processed, the attackers steal those credentials and transfer money behind the scenes."
Furthermore, while analyzing the current campaign, the researchers were able to spot connections to previous attacks reported in 2017 by IBM X-Force's research team, attacks that were also targeting Canadian banks' customers.
Just like in the case of the current campaign, IBM X-Force's researchers said at the time that the attacks were "designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords, and two-factor authentication codes."
Additionally, they also found that "the goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control."
Targeted Canadian banks
In all, Check Point's research team was able to discover over 300 domains that closely resemble bank websites and used to host phishing websites for the following Canadian banks:
• The Royal Bank of Canada
• Scotiabank
• BMO Bank of Montreal
• Interac
• Tangerine
• Desjardins Bank
• CIBC Canadian Imperial Bank of Commerce
• TD Canada Trust
• Simplii Financial
• ATB Financial
• American Express
• Rogers Communications
• Coast Capital Savings
• Wells Fargo
More detailed information on how the attackers hosted multiple domains on the servers they controlled, as well as more examples of phishing landing pages used in these attacks, are available within Check Point's report.
Indicators of compromise (IOCs) including a list of IP addresses and phishing PDF sample hashes are also listed at the end of the report published here.
