Twelve Flavors of Phish: Canadian Workers Targeted With Fake Covid-19 Relief Deposits

Cofense.News

Financial aid programs continue to be popular targets in the midst of the COVID-19 pandemic, with government relief grants a particularly great one to exploit.  

By Jake Longden and Elmer Hernandez, Cofense Phishing Defense Center

With multiple world governments providing such grants, and millions of people relying on these as their main source of sustenance, adversaries will continue exploiting such dependence. 

The Cofense Phishing Defence Center (PDC) has observed a recent phishing campaign in Canada that aims to harvest banking credentials and other personal information from 12 different banking institutions. This was achieved by preying on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds are supposedly sent via an electronic transfer from Interac, a legitimate Canadian interbank network. 

The CERB scheme gives financial support to employed and self-employed Canadians who have been affected by the COVID- 19 pandemic. It offers $2,000 CAD (approx. $1,490 USD) for a four-week period.

CERB Deposit

The email purports to be a notification from Interac’s e-transfer service, indicating that the Canada Revenue Agency (CRA) has made a CERB deposit of $1,957.5 CAD (approx. $1,463 USD). A fictitious expiration date is included in an attempt to instill a sense of urgency.

Figure 1 – Email Body 

Header

The SPF fail in the headers (Figure 2) indicates that the email is likely spoofed, and the IP address suggests that it came from a potentially compromised device using the University of South Florida network (Figure 3). The choice of the name ‘cra-cerb’ in the address is used to add credibility to the email.

Figure 2 – SPF Fail 

A Phish of 12 Different Flavors

The first landing page the phish visits is an impersonation of the CRA. It has working links in both French and English like a legitimate site from the Canadian government. Once the user has selected their language choice, they will be redirected to an impersonated Interac e-transfer site in said language.

Figure 3 – USF IP Address 

Figure 4 – CRA Spoofed Site  

  • ATB Financial 
  • Bank of Montreal (BMO) 
  • Canadian Imperial Bank of Commerce (CIBC) 
  • Desjardins 
  • Laurentian Bank 
  • Meridian 
  • National Bank of Canada 
  • Royal Bank of Canada (RBC) 
  • Scotiabank 
  • Simplii Financial 
  • Tangerine 
  • TD Canada Trust 

Once in the spoofed Interac e-transfer site (Figure 5)the user must choose their personal bank from twelve different options in order to receive the deposit. All of these banks are actual members of the Interac network, which suggests attention to detail from adversaries: 

Next, the recipient is taken through a series of spoofed pages for the corresponding bankwith some offering both English and French versionsAll pages reside within compromised website of a Washington, DC area businessThe URL paths vary depending on the bank, but follow the following format:  

Figure 5 – Spoofed Interac Page 

Although no two options are identical, most of the twelve spoofed banks ask for similar details: 

hxxps://lincolnrestaurant-dc[.]com/interca/{unique 32 character string}/bank/{bank name}/{html or php file} 

  • Usernames 
  • Card Numbers 
  • Passwords 
  • Security Questions and Answers 
  • Personal Information (PI) (Full Name, Date of Birth, Email, etc) 

Scotiabank (English) was chosen to showcase an example of the entire phish process. The initial page the user is presented with is a standard login page asking for credentials, notice the slight typo of the word “sign” on the “Sing in button (Figure 6). 

The next page asks for sensitive PI and card information (Figure 7). The user is then asked for Security questions and answers (Figure 8), which might falsely provide the reassurance that some form of multi-factor authentication is being employed. The combination of PI such as a Social Insurance number, credit card numbers and MFA questions could form a fairly solid base for identity theft/impersonation. Once submitted a final page confirms the funds will be deposited in 48 hours (Figure 9).

Figure 6 – Scotiabank Sign in 

Figure 7 – Scotia PI and Card Info 

Figure 8 – Scotia MFA Security Questions 

Figure 9 – Deposit Successful 

Figures 10 through 20 show the login pages for the remaining eleven spoofed banks.  

Figure 10 – ATB 

Figure 11 – BMO 

Figure 12 – CIBC  

Figure 13 – Desjardins  

Figure 14 – Laurentian  

Figure 15 – Meridian  

Figure 16 – National Bank 

Figure 17 – RBC  

Figure 18 – Simplii  

Figure 19 – Tangerine  

Indicators of Compromise

Malicious URL:

Figure 20 – TD  

Associated IP:

hxxps://lincolnrestaurant-dc[.]com/interca

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

108[.]167[.]182[.]39

This post was first first published on Cofense’s website by Cofense. You can view it by clicking here