Criminals have been trying to steal login credentials of consumers and businesses of Canada’s biggest banks in a sustained and sophisticated phishing campaign for at least three years, says a security vendor.
In a report released this morning, Check Point Software says one of the latest campaigns tried to trick users of the Royal Bank Express service into clicking on a PDF, which leads to a realistic-looking login page.
“By sending highly convincing emails to their targets, constantly registering look-alike domains for popular banking services in Canada, and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time,” says the report.
Aseel Kayal, a Check Point malware analyst who helped in the research, couldn’t say how many people have fallen for the scams.
The most recent campaign was launched at the end of August. She hasn’t seen another one in the last few months, but that would be typical of the ebb and flow from this threat actor, she said.
What the report calls a “massive” infrastructure of IP addresses behind the campaigns found by Check Point is similar to one set up by a gang identified by IBM in 2017, including using PDFs. The recent Check Point results seem identical to the discovery in 2018 of a campaign against RBC discovered by Trend Micro that specifically targeted customers in California.
Without giving attribution, the IBM and Check Point reports note that the IP addresses in the infrastructure come from Ukraine.
The infrastructure identified by Check Point appears to come from the same infrastructure that over the years has launched efforts mimicking websites of this country’s largest financial institutions, including TD Bank, CIBC, Scotiabank, Bank of Montreal, as well smaller ones such as Tangerine (Scotiabank’s online bank), Simplii Financial (CIBC’s online bank), Desjardins Bank, Alberta’s provincially-owned ATB Financial, and the Interac interbank network.
Other targets include Rogers Communications, American Express, Wells Fargo, and Coast Capital Savings, a B.C. credit union.
Check Point found some 300 look-alike company domains that were hosting phishing websites.
Some of those who receive these emails have been specifically targeted with their names in the messages. Others are addressed to “Dear client,” or not addressed at all. But they have a similar message: The codes for their digital certificates have been re-issued, so the user has to log in and renew them.
The fake login pages are close copies of real financial institution pages.
Unusual for phishing, the campaigns use a PDF as a lure, which includes instructions on renewing the certificate. To evade detection sometimes the PDFs were password protected. To improve credibility some of the messages have included a photo of a real bank employee, cut and pasted from the web, with her title.
Those documents have a link to a so-called authorization certificate sign-in page, which is actually the fake page for capturing credentials.
The report notes that the fake login pages are merely screenshots of real pages. But they have invisible text boxes on top of the input fields where victims would type in names and passwords. Alarmingly, the scam also works even if the victim subscribes to a multi-factor authentication service for extra protection. The fake pages have a place for filling in a token number.
After logging in the victim is taken to a fake page to enter their new digital certificate authorization code, and then wait while the bank system supposedly updates and registers their new certificate. Meanwhile, the crooks are accessing and draining the account.
To avoid being taken in by scams, Kayal said people should avoid clicking on links in an email that supposedly takes you to a financial institution’s site. Instead, either use a bookmark you created previously or Google the name of the institution and type in or click on that.