Malware banking campaigns against Canadians are increasing: Report

Canadian businesses and residents are increasingly targets for malware campaigns, according to a new blog from security vendor ProofPoint.

The report, issued last week, said the company has seen six different banking Trojan families, including Ursnif, Dridex, Kronos, Zeus, Gootkit, and Vawtrak, all targeting customers of financial institutions in Canada and other countries since May.

The malware isn’t delivered how you might think, in email purporting to come from a bank. Instead it comes indirectly attached through messages that allegedly come from Microsoft (with the header “Attention Urgent: Critical Security Update” and the sender “Microsoft Security Team”), Canada Post (purporting to be a message about an inability to deliver an item) and UPS (purporting to be a invoice for proof of delivery).



These messages either ask the victim to download a contaminated Microsoft Word document or link to a site for a malware download. The malware use a variety of techniques, from simple credential theft to advanced website modifications using web injects, to operating proxies that allow the attacker to access the bank website from the victim’s computer. The variety of techniques is one of the things that makes them so dangerous and effective, says Proofpoint.

“While it is not uncommon to see email-based malware and phishing campaigns targeting Canadian residents and businesses,” says the report, “the volume and diversity of these campaigns seem to be increasing. The malicious payloads we have been observing include all types of banking Trojans, malware specifically designed to steal funds from online banking users.”

The gang behind the Dridex malware is particularly stubborn. While one of its botnets was taken down last fall and one person was arrested, campaigns using the malware are increasing. says Proofpoint.

Separately, Cisco Systems’ Talos threat intelligence service is warning enterprises of a new campaign that started June 27 for delivering Locky/Zepto ransomware through attachments. The hoped-for targets are C-suite or vice-presidents, with the emails usually asking recipients user to look at their “requested” attached document, supposedly a report, invoice or other document. Instead a malicious Javascript connects to a command and control server and downloads the ransomware.

Regular employee awareness training is important to stifling these campaigns, not only having staff be cautious about messages with attachments but also be wary of messages that ask them to disable macros.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now