Canadian banks targeted in a massive phishing campaignDecember 23, 2019
Recently, Check Point engines detected a new phishing campaign impersonating the Royal Bank of Canada (RBC).
The attack starts by sending legitimate-looking e-mails containing a PDF attachment to multiple organizations and victims from Canada:
Figure 1: Phishing e-mail
Looking into the detected artifacts revealed an ongoing phishing attack that has been going after customers of Canadian banks for at least two years. By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time.
The PDF attachment uses the Royal Bank’s logo, as well as an authorization code that the victim supposedly needs to renew their digital certificate for the RBC express online banking systems:
Figure 2: PDF attachment
When the victim clicks on any of the URLs which appear in the above document, they are led to a phishing page asking them to enter their RBC express credentials.
Although the phishing website looks identical to the login page in the official RBC website, the attackers did not invest a lot of effort into replicating it. They simply took a screenshot of the official website, and added invisible textboxes on top of the input fields to harvest the victim’s credentials:
Figure 3: Phishing page
After the victim tries to sign in, they are taken to a registration page where they are asked to enter the authorization code received via the phishing e-mail:
Figure 4: Victim is asked to insert the authorization code
Lastly, the victim is asked to wait while a digital certificate is supposedly being registered for them:
Figure 5: Victim’s registration is being processed
There were multiple variants of the PDF attachments, with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document.
This allowed us to hunt for more samples and find related PDFs dating back to 2017:
To evade detection, the PDFs were password-protected in some cases, and the password was mentioned in the e-mail’s body:
Figure 7: Password-protected attachments
Connecting the Dots
The phishing website which appeared in the PDF attachments we investigated at first (royalexpressprofile[.]com) resolved to a Ukrainian IP address: 176.119.1[.]80.
Examining this IP address revealed that it hosted more domains impersonating RBC in addition to other banks:
Figure 8: Domains resolving to 176.119.1[.]80
As it turns out, there were many more IP addresses on the same netblock 176.119.1[.]0/24 that were part of a massive infrastructure used to launch phishing attacks that attempt to steal banking credentials from Canadian victims:
Figure 9: Phishing websites resolving to IPs on the same netblock
Figure 10: Examples of phishing pages from the same netblock
Blast from the Past
Some of the domains that we came across by looking up the related IP addresses had WHOIS records:
Figure 11: WHOIS information
Although the WHOIS records included fake information about nonexistent individuals, we were able to find other domains registered using the same details,
and we noticed an overlap with the infrastructure of a phishing attack targeting Canadian businesses reported back in 2017.
Figure 12: Old phishing infrastructure
Back then, the domains resolved to IP addresses on a different netblock under the same ASN: 176.119.5[.]0/24.
Figure 13: Shared WHOIS Information
Overall, we tracked more than 300 look-alike domains that hosted phishing websites for the following banks:
- The Royal Bank of Canada
- BMO Bank of Montreal
- Desjardins Bank
- CIBC Canadian Imperial Bank of Commerce
- TD Canada Trust
- Simplii Financial
- ATB Financial
- American Express
- Rogers Communications
- Coast Capital Savings
- Wells Fargo
Indicators of Compromise
Check Point successfully intercepted these described attacks and was able to block all of the malicious attachments involved in this campaign.