Canadian organizations target of spear phishing attack, says IBM

Canadian small and medium-sized businesses are being targeted with spear phishing attacks from a gang trying to get employees to reveal corporate banking passwords and two-factor authentications, IBM researchers said today.

“The goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control,” researchers said in a blog detailing the scheme.

The probes are launched at very specific people in organizations who deal with finances through intricate emails made to appear legitimate from a bank. These messages include correct bank logos and accurate information and included a PDF, which hides malicious URL links, keywords and brand abuse from detection software that would pick them up had they been included in the body of the email.

The attack is slick: Criminals have registered a few domains and created email addresses with bank’s name and appeared to represent the bank’s customer service, security or technology departments, and appear to come from actual employees of the victim’s bank.

The email says victims need to re-synchronize their security token devices used for multifactor authentication, warning that their existing device for payment processing can’t be used until it is synched again. “This one was not especially ingenious,” says the report, because it is a common tactic.  “That fake synchronization is designed to include the process of generating one-time passwords with hardware tokens typically issued to business banking customers. The attackers also use another common trick: Making the message request appear urgent by warning victims to open the PDF promptly for instructions to go to a (malicious) Web page to prevent canceled payments and transaction delays.

“The content of the PDF changed slightly in some cases to address a specific victim’s role,” the researchers found, “another indication that the attackers had prior knowledge of their selected recipients. Some cases addressed a business banking user, for example, while others addressed an administrator with service access and additional users.”

Steps in the scheme. IBM Graphic


The infrastructure hosting the attack is based in Ukraine, says the IBM researchers, sites that hosted a number of other attacks that also targeted Canadian banks. This infrastructure also hosts attacks at consumers, who are promised a refund that can only be deposited directly into their bank account. They are directed to a main page that prompts them to select their banking institution before redirecting them to the corresponding attack page. Victims then are asked for login credentials and account security elements typically used for password resets. Then the victims get a note that the refund transfer could not be completed or that it had expired.

“Security training and incident response planning can go a long way toward helping to protect the business and recovering stolen funds in case of this type of compromise,” says IBM. This means impressing on staff that email requests for changes in procedures should be looked at skeptically.

Read the full blog here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now