Customers of Canadian banks have been targeted by cybercriminals in an extensive phishing campaign that has been ongoing for at least the past two years, according to Check Point Research which uncovered the campaign. As with many other financial phishing scams, the attackers spoof the website of a well-known bank and create a virtual carbon copy of the home page of the bank on a lookalike domain, which often only differs from the genuine domain name by a letter or two.
A link to the fraudulent site is then sent in a mass spamming campaign to email addresses on the specific country top level domain where the bank operates. The emails instruct users to visit the banks website and login, usually under the guise of a security alert. When the link in the email is clicked, the user is directed to the spoofed site and may not notice the domain name is not quite right. They then enter their login credentials which are captured by the scammers. The credentials are then used to make fraudulent wire transfers to accounts controlled by the attackers.
In this campaign, the emails include a PDF email attachment. PDF files tend to be trusted to a higher degree than Word documents and spreadsheets, which end users have usually been instructed to treat as suspicious. The PDF file includes a hyperlink, which the user is instructed to click. Since the hyperlink is in the document rather than the email body, it is less likely to be scanned by email security solutions and has a higher chance of being delivered.
The user is told that they are required to update their digital certificate to continue using the online banking service. The PDF file includes the bank logo and a security code, which the user is required to enter when logging in. The code is included in the PDF attachment rather than email body for security reasons. As with most phishing scams, there is urgency. The recipient is told that the code expires in 2 days and that they must register within that time frame to avoid being locked out of their account.
The landing pages on the websites are identical to those used by the banks as the attackers have simply taken a screen shot of the bank’s landing page. Text boxes have been added where the username, password, and token number must be entered. Users are then asked to confirm the details they entered while the attackers attempt to access their account in real-time and make a fraudulent transfer.
These tactics are nothing new. Scams such as this are commonplace. What is surprising is how long the campaign has been running undetected. The scammers have been able to operate undetected by registering many lookalike domains which are used for a short period of time. Hundreds of different domains have been registered and used in the scam. At least 14 leading banks in Canada have had their login pages spoofed including TD Canada Trust, Scotiabank, Royal Bank of Canada, and BMO Bank of Montreal.
All of the websites used in the scam have now been taken down, but it is all but guaranteed that other lookalike domains will be registered and further scams will be conducted.