A newly detailed phishing campaign is targeting customers of Canadian banks, but this one has been around awhile: It’s believed to be at least two years old.

Detailed by security researchers at Check Point Security Technologies Ltd., which published its findings today, the phishing campaign involves highly convincing emails sent to targeted customers that use “look-alike” domains to appear convincing. Described as a large-scale operation, the emails have been found to target customers of 14 Canadian banks including CIBC, TD Canada Trust, Scotiabank and the Royal Bank of Canada.

Customers tricked by the phishing emails are directed to a legitimate-looking fake website that then prompts them to log into their accounts. When the victims enter their details, their credentials they are then taken to a registration page where they’re asked to enter an authorization code received via the phishing email. Then the customers are asked to wait while a digital certificate registers them.

Exactly who is behind the phishing campaign is unknown, but IP addresses linked to the emails trace back to Ukraine. Whois data for the IP addresses were found to have false information.

“By sending highly convincing emails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time,” the Check Point researchers noted.

Education and basic precautions are the keys to avoiding phishing attacks, Jonathan Knudsen, senior security strategist at electronic design automation company Synopsys Inc., told SiliconANGLE.

“Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site,” Knudsen explained. “Users should always check the URL they are visiting to make sure it matches what they expect. They should trust their instincts when it seems like something is not quite right, or they are being asked for credentials at an unexpected time.”

Thomas Richards, principal consultant at Synopsys, added that phishing and email-based attacks present a twofold problem for companies to solve: technical controls and education.

“Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients,” Richards said. “Additional controls include endpoint protection software and configuring the corporate email client to present a banner on any external emails. The banner can be used to warn recipients that it is an external email and to be cautious when opening any attachments, clicking links, or responding.”

Photo: Pixabay