[OSINT/CTI] The Great Canadian Scammers
This article is made for educational purpose only, to show what’s going on behind the scenes of malicious actors and their digital platforms. Everything comes from open and legal sources.
I received an SMS asking me to log in to: auth-rbcroyalbank-online[.]com.
Well, thanks to this scam, I was able to map a wide phishing network targeting Canadian institutions.
Key points:
⏺️ Mostly Russian and Chinese registrars/hosting providers (JSC Selectel, Nicenic…) are involved.
⏺️ Registrant data (names, addresses, phone numbers, etc.) are always bogus.
⏺️ Most of these domains were registered in the past few months, up to September 2024.
⏺️ Multiple pools of IPs are reused for a large number of domains, indicating a possible coordinated operation between several players using a common infrastructure.
⏺️ Top institutions impersonated:
- RBC
- Scotia Bank
- TD bank
- Rogers
- Canada Revenue Agency (CRA)
- CIBC
- Interac
- Canada Post
- Costco