Comment: Canadian Banks Impersonated In Two-year Long Phishing Attack

It has been reported that Canadian banks are being impersonated in a phishing campaign targeting both individuals and businesses via a large-scale infrastructure shared with previous attacks going back to 2017 and pointing to the same attackers. The infrastructure behind these Canadian focused attacks includes hundreds of phishing websites designed to mimic major Canadian banks’ websites as part of an effort to steal user credentials from the financial institutions’ clients. To get the targets on their phishing landing pages, the attackers use custom-crafted and legitimate-looking email messages with malicious PDF attachments.

Subscribe
Notify of
guest

3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Justin Fox
Justin Fox , Director of DevOps Engineering
InfoSec Expert
January 1, 2020 10:46 am

Phishing schemes have become extremely sophisticated, targeted and deployed with all the power of social media aimed at stripping end users of their authentication credentials and other sensitive information. With phishing emails, from the moment a user receives a malicious email in their inbox, the clock is ticking – most users will click on links and provide their information, or open a malware infected document in that first hour. Once they do, their credentials are immediately harvested for hackers to leverage or sell on the Dark Web.

Educating end users is not a reliable solution. The continued success of these attacks highlights a major flaw in identity validation techniques that can be stolen and reused. A multi-layered approach to authentication that provides newer and more secure techniques such as passive biometrics and behavioral analytics should be implemented by companies to determine if the expected human user is accessing and transacting on the account or a cybercriminal that needs to be blocked.

Last edited 2 years ago by Justin Fox
Thomas Richards
Thomas Richards , Principal Consultant
InfoSec Expert
January 1, 2020 10:45 am

Phishing and email-based attacks present a twofold problem for companies to solve; the first is technical controls and the second is human education. Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients. Additional controls include end point protection software and configuring the corporate email client to present a banner on any external emails. The banner can be used to warn recipients that it is an external email and to be cautious when opening any attachments, clicking links, or responding. Regarding the human controls, employee security awareness training should be mandatory for all employees and cover what typical phishing attack methods and what should make a recipient suspicious. Finally, a company should also invest in regular phishing security testing on their employees to ensure that the technical controls and human education components are working to prevent a real attack.

Last edited 2 years ago by Thomas Richards
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
January 1, 2020 10:43 am

Education and basic precautions are the key to avoiding phishing attacks. Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site. Users should always check the URL they are visiting to make sure it matches what they expect. They should trust their instincts when it seems like something is not quite right, or they are being asked for credentials at an unexpected time.

Last edited 2 years ago by Jonathan Knudsen
Information Security Buzz
3
0
Would love your thoughts, please comment.x
()
x