Unmasking a Phishing campaign targeting major Canadian Banking customers

It was a lazy Sunday afternoon when I got a Twitter alert regarding a SMS Phishing customers of Royal Bank of Canada (RBC)

Smishing (SMS + Phishing)

Smishing (SMS + Phishing)

Being my natural curious self on a slow afternoon I started poking around the site and quickly discovered 2 things:

  1. hxxp://rbc[.]com[.]ssl-sec-mls-119[.]com/r/ - the /r/ portion intrigued me

  2. I also found a page called /r/counter/ from analyzing the form submission page

rbc1.jpg

Going through the data in the counter page I quickly realized that these IP addresses belong to potential victims. out of the 701 records 60 users ~ 10% submitted all the data to the attacker. Sample below.

rbc2.jpg

Now with this knowledge in mind I wanted to get back to the /r/ and fuzz that letter to see what else returned a HTTP status 200. I hypothesized that the ‘r’ in /r/ stood for “RBC” so I wanted to try ‘/c/’ for “CIBC” and to my delight i got a status 200 and a familiar looking website.

cibc1.jpg

My immediate a next step was to determine if this has already been used to phish unsuspecting victims and made my way over to “/c/counter/” this time to my surprise I saw a total count of 1068 potential victims at approximately 10% that provided all information to the attacker. At this point I decided to fuzz ‘a..z’ and see if I get a status 200. I also wanted to collect the data from counter page. I was also convinced at this point that this attacker has been doing this for some time and I had to do something to unmask the operation and the infrastructure at the very least. The research uncovered 6 phishing pages targeting customers of the following Canadian banks.

  1. BMO - /b/

  2. CIBC - /c/

  3. RBC - /r/

  4. Desjardins - /d/

  5. Tangerine - /t/

  6. Scotia Bank - /s/

It was also obvious that all these sites were used or in use to phish Canadians.

counters.JPG

The Infrastructure

  1. IP - 47[.]74[.]225[.]213

  2. URL - http://rbc[.]com[.]ssl-sec-mls-119[.]com/r/

The domain was registered on the 29th of December, 2018.

Hosted on  Alibaba cloud

Hosted on Alibaba cloud

111 Parent domains  -  https://pastebin.com/shzRhwGd

111 Parent domains - https://pastebin.com/shzRhwGd

We notified the banks and saw response from CIBC and RBC. All the domains hosted on this server looked shady and build for crypto currency online casinos and phishing. Checkout the Pastebin link if you are interested. Once interesting finding from the logs was a submission from ::1 / loop back address from March 03, 2018. This further confirms that we are dealing with a persistent threat actor.

The attacker testing if the code works? Thoughts?

The attacker testing if the code works? Thoughts?

I would love to hear what you guys think. How should law enforcement and authorities respond to something like this? Do you feel the banks should do more to identify the impacted users and notify them? Thanks for reading my slow Sunday afternoon turned out to be fun and I hope you guys had fun reading.