This article is made for educational purpose only, to show what’s going on behind the scenes of malicious actors and their digital platforms. Everything comes from open and legal sources.


I received an SMS asking me to log in to: auth-rbcroyalbank-online[.]com.

Well, thanks to this scam, I was able to map a wide phishing network targeting Canadian institutions.

Key points:

⏺️ Mostly Russian and Chinese registrars/hosting providers (JSC Selectel, Nicenic…) are involved.

⏺️ Registrant data (names, addresses, phone numbers, etc.) are always bogus.

⏺️ Most of these domains were registered in the past few months, up to September 2024.

⏺️ Multiple pools of IPs are reused for a large number of domains, indicating a possible coordinated operation between several players using a common infrastructure.

⏺️ Top institutions impersonated:

  • RBC
  • Scotia Bank
  • TD bank
  • Rogers
  • Canada Revenue Agency (CRA)
  • CIBC
  • Interac
  • Canada Post
  • Costco

Graph