Researchers have unearthed a two-year phishing campaign targeting bank customers in Canada.
Fourteen banks, including CIBC, TD Canada Trust, Scotiabank, and the Royal Bank of Canada (RBC) were spoofed in a large-scale operation that involved multiple look-alike domains.
The attack starts by sending legitimate-looking emails containing a PDF attachment. The attachment uses what appears to be an official bank logo, as well as an authorization code.
Victims are told that they need to renew their digital certificate so that they can continue to access online banking. When the victim clicks on any of the URLs that appear in the attached document, they are led to a phishing page asking them to enter their banking credentials.
The intricate scam was uncovered by researchers at Check Point Research, who wrote: "Looking into the detected artifacts revealed an ongoing phishing attack that has been going after customers of Canadian banks for at least two years.
"By sending highly convincing emails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time."
In the case of RBC, although the phishing website looks identical to the bank's genuine RBC express login page, the attackers actually invested little time in constructing the deceptive replica.
"They simply took a screenshot of the official website and added invisible text boxes on top of the input fields to harvest the victim’s credentials," wrote researchers.
Linguistic clues led the researchers to discover the longevity of the scammers' cruel charade.
Researchers wrote: "There were multiple variants of the PDF attachments, with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document.
"This allowed us to hunt for more samples and find related PDFs dating back to 2017."
The phishing website that appeared in the PDF attachments resolved to a Ukrainian IP address, which researchers found was hosting more domains impersonating RBC in addition to other banks.
Commenting on the scam, senior security strategist at Synopsys Jonathan Knudesn said he felt it was time users wised up.
"Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site."