A large-scale phishing campaign has been targeting online banking customers -- the majority of whom were Canadian -- for the last two years, found researchers at Check Point.
The campaign was discovered while tracing a stream of phishing emails impersonating those from the Royal Bank of Canada (RBC). An analysis of the email revealed a Ukrainian IP address that hosted more than 300 domains imitating RBC and other financial institutions.
"The detected artifacts revealed a phishing attack that has been going after customers of Canadian banks for at least two years," read the Check Point report.
"By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time."
The phishing emails instructed the victims to log into their bank accounts at the earliest to update various information related to accounts. Victims fed the details into bogus webpages, and the attackers used the data to steal money from them, said the report.
With all the power of social media being used to steal credentials, phishing schemes have become extremely sophisticated, targeted and fast, noted Justin Fox, director of dev-ops engineering at NuData.
"The clock is ticking from the moment a user receives a malicious email. Most users will click on the links and provide their information, or open a malware infected document in that first hour. Once they do, their credentials are immediately harvested by hackers to leverage or sell on the dark web."
The PDF attached to one of the phishing emails led researchers to a bigger, cross-border campaign, said the report.
"There were multiple variants of the PDF attachments (in the emails), with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document. This allowed us to hunt for more samples and find related PDFs dating back to 2017."
Some of the PDF documents were protected using passwords, in an attempt to evade detection. The password was mentioned in the email, the report said.
"The phishing website which appeared in the PDF attachments we investigated at first (royalexpressprofile[.]com) resolved to a Ukrainian IP address: 176.119.1[.]80. Examining this IP address revealed that it hosted more domains impersonating RBC in addition to other banks."
Education and basic precautions are the key to avoiding phishing attacks, said Jonathan Knudsen, senior security strategist at Synopsys.
"Users should understand the capabilities of phishers. They should know that anyone can construct a website that looks just like the real thing, and anyone can get a legitimate certificate for a fake website."
Users should always check the URL they are visiting to make sure it matches what they expect, and should demand more details if they suspect foul play, Knudsen suggested.
However, educating end users is not a reliable solution, said NuData’s Fox.
"The continued success of these attacks highlights a major flaw in identity validation techniques that can be stolen and reused. A multi-layered approach to authentication that provides newer and more secure techniques such as passive biometrics and behavioral analytics should be implemented by companies to determine if the expected human user is accessing and transacting on the account or a cyber-criminal that needs to be blocked," he said.
Thomas Richards, principal consultant at Synopsys, also puts the onus of security on companies.
"Phishing and email-based attacks present a twofold problem for companies to solve; the first is technical controls and the second is human education. Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients. Additional controls include end-point protection software and configuring the corporate email client to present a banner on any external emails," he said.
"Regarding the human controls, employee security awareness training should be mandatory for all employees and cover what typical phishing attack methods and what should make a recipient suspicious. Finally, a company should also invest in regular phishing security testing on their employees to ensure that the technical controls and human education components are working to prevent a real attack," he added.