Who is Being Targeted?
Security researchers from Check Point Research have discovered a two-year phishing campaign targeting both private and commercial bank customers in Canada. The campaign has been targeting some of Canada’s largest banks including Royal Bank of Canada, TD Canada Trust, Bank of Nova Scotia and CIBC Canadian Imperial Bank of Commerce. The latest phishing attack has been impersonating the Royal Bank of Canada (RBC).
How Is the Phishing Attack Being Carried Out?
Attackers start by sending out what appear to be genuine emails from RBC to unsuspecting individuals and companies. The emails contain a pdf attachment that includes what seems to be an official RBC logo. The email also contains authorization code that the victim is asked to renew. When victims click on any of the links in the pdf, they are taken to a phishing page that looks identical to the RBC online banking login page. Once the fake login page opens, the victims are asked to enter their online banking login credentials. Once the victim has supposedly signed into RBC, they are taken to a fake registration page. Here they are asked to enter the authorization code received in the phishing email. The victim is then asked to wait while the system supposedly updates their profile and registers their new digital certificate.
2 Year Phishing Campaign Discovered
Whilst investigating the RBC attacks, the researchers discovered that the phishing campaign on Canadian Banks has been ongoing for several years. It was the pdf attachments sent with the RBC phishing emails that provided the breakthrough, as they contained linguistic clues. The researchers found that “there were multiple variants of the pdf attachments, with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document.” This unique phrasing allowed researchers to hunt for further documents with the same phrasing. In doing so they found related pdfs dating back to 2017. Researchers at Check Point Research wrote: “By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time.”
Who are the Attackers?
It is not yet known who the attackers are. However, the phishing website that appeared on the RBC attachments resolved to a Ukrainian IP address. This IP address was found to be hosting more domains impersonating not only RBC but other Canadian banks as well. Furthermore, it was discovered that this IP address is part of a large infrastructure used to launch phishing attacks. All phishing attacks from this infrastructure appear to be aimed at stealing banking credentials from Canadian victims.
How to Avoid Similar Phishing Scams
To avoid falling victim to similar phishing campaigns, it is recommended not to click on links in emails that supposedly connect to banks’ websites. Instead, people are advised to either use a bookmark previously created in their browser of choice or Google the name of the bank and click on that. More information on how to avoid falling victim to phishing scams in general is provided on this site under this link.
