I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference. So when I saw someone mention a "National Bank of Canada" phish, I thought I would pull on the string a bit and see if it was actually an "Interac" phish. Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank.
By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in
KalĂvia, Attiki, Greece.
|
178.128.125[.]127/deposit |
We can tell by the timestamp of the directory that this is a fresh phish - created earlier this morning:
On each of the banks, clicking on their logo would take the visitor to a phishing site for that brand. (Curiously, HSBC did not work for this author - it took us to the real HSBC website via a Google search?)
|
ATB Phish |
|
Desjardins Phish |
|
Laurentian Bank (LBC) Phish |
|
Manulife Bank Phish |
|
RBC Royal Bank Phish |
Quite a few of the Phish seemed to be formatted for browsing on a Smart phone:
|
BMO Mobile Phish |
|
CIBC Mobile Phish |
|
Meridian Bank Phish |
|
Scotiabank Mobile Phish |
|
Simplii Financial Phish |
|
Tangerine Phish |
|
TD Bank Phish |
On most of the phishing pages after entering a Userid and Password, the phish would indicate that the deposit was no longer available by displaying an Interac Error page:
|
An Interac Error page displays briefly, then forwards to the real bank |
This means that the banks may be able to detect this phishing victims by looking for "referring URLs" coming from pages named "error.html", for example, in this case:
hXXp://178.128.125[.]127/deposit/banks/Laurentian/error.html
A few of the brands, such as National Bank of Canada, did ask for additional information:
|
National Bank of Canada Phish Validation page
|
After "Validating" the phish forwarded to the real site, nbc.ca, which means they also might wish to check for "referring URLs" containing "Validation" in the path, such as this one:
hXXp://178.128.125[.]127/deposit/banks/National/Validation/
The CIBC Mobile Phish also had some additional questions for their potential victim:
|
CIBC Mobile Phish Validation page |
So, my Canadian friends, if you get an unanticipated request to deposit funds to your account via Interac, you might want to delay accepting that deposit!
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.