Tuesday, June 7, 2016

An Overview of Canadian Bank Credential Phishing

In Canada, we have our fair share of bank account phishing.  Primarily, these scams mostly originate from two distinct teams, and each team has it's own trademark way of operating.

In one corner, we have Team Asia.

  • They register a proper domain.  
  • They set up their own DNS and make the site look like a proper clone of the real bank site.
  • They are sometimes able to operate for a few months before they get taken down.
  • They send invites from the SMS code 7000 (formatted as 700-0).

In the opposite corner, we have Team Russia.


  • They don't register a proper site, preferring to hang off the back of an existing site.
  • They don't set up their own DNS, preferring to use the short.cm service.
  • They get taken down quickly, so are much more proliferate.
  • They send text messages from full phone numbers, usually in Alberta, Ontario or British Columbia.

There are a few stragglers that I haven't assigned to one group or the other, but one particular code base does show up in a number of these, which means they're either the same person/group, or they're buying templates from the same source.

To give you an example of Team Russia:

Here's the SMS from area code 250.

As you can see, it's rather sloppy in comparison to Team Asia.  The final link hangs off a Brazilian site, seen here:



URL aside, the site looks real, until you try to navigate, at which point you run into this:


And for anyone interested in the data, here that is (click for bigger version).



As you can see, this isn't complicated at all, and that's a good thing because most of Canada's banks have online banking with holes that are not secure enough to guard against anything much more aggressive than this.

So, there you go.  The state of Canadian bank phishing in one quick post.