Researchers at Check Point Research have uncovered a massive phishing attack that has cast a large net over Canadian banks. The campaign in question was uncovered by Check Point via a phishing email impersonating a legitimate correspondence from the Royal Bank of Canada. As the post from Check Point states, this eventually led researchers to uncover the following evidence:
Looking into the detected artifacts revealed an ongoing phishing attack that has been going after customers of Canadian banks for at least two years. By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time."
The phishing attack emails generally follow a similar framework regardless of the Canadian banks being impersonated. In the case of the most recent example, the attack involving the Royal Bank of Canada, users are tricked into downloading a malicious PDF document. This is accomplished by convincing victims that they need to renew their digital certificate for online banking. The document then links to URLs that are spoofed pages of the Royal Bank of Canada. As one may guess, the spoofing allows the threat actors to collect banking data. In almost all of the cases attacking customers of Canadian banks, getting the victim to download a PDF, and interact with it, is usually the main goal.
After doing some digging, Check Point uncovered an IP address (176.119.1[.]80) that originates in Ukraine. Following this, it was uncovered that most of the IP addresses in the 176.119.1[.]0/24 netblock were utilized in spoofing other Canadian banks as a part of the two-year campaign. The domains that were faked impersonated a large number of banks: The Royal Bank of Canada, Scotiabank, BMO Bank of Montreal, Interac, Tangerine, Desjardins Bank, CIBC Canadian Imperial Bank of Commerce, TD Canada Trust, Simplii Financial, and many more.
In light of the phishing attack, customers of any Canadian banking service are fair game for these threat actors, and for that reason, Canadians should be extra diligent when responding to emails that appear to come from their bank.
Featured image: Shutterstock