Researchers at Check Point have discovered a new phishing campaign impersonating the Royal Bank of Canada (RBC).
Threat actors send legitimate-looking emails attached with a PDF, to multiple organisations across Canada.
“By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time,” the researchers explained.
The attachment utilises the Royal Bank’s logo, and displays an authorisation code to which the victim allegedly needs to renew their digital certificate for the RBC online banking systems.
When the victim clicks on any of the URLs in the document they are redirected to a phishing page asking them to enter their RBC express credentials.
“Although the phishing website looks identical to the login page in the official RBC website, the attackers did not invest a lot of effort into replicating it. They simply took a screenshot of the official website, and added invisible textboxes on top of the input fields to harvest the victim’s credentials.”
When the victim tries to sign in, they are then redirected to a page where the have to enter the authorisation code provided in the email.
Researchers found multiple versions of the PDF attachments, which allowed them to hunt for more samples, to which PDFs dating back to 2017 were discovered.
The phishing website resolved to a Ukrainian IP address. Upon investigating the IP address, researchers discovered that it hosted more domains impersonating RBC and other banks including CIBC, Scotiobank, Desjardins bank and TD Canada Trust.
Jonathan Knudesn, senior security strategist at Synopsys, told Infosecurity Magazine: “Users should understand the capabilities of phishers; they should know that anyone can construct a website that looks just like the real thing, and anyone can get a legitimate certificate for a fake website.”
The post #Privacy: Canadian banks targeted by two-year phishing campaign appeared first on PrivSec Report.