This article is made for educational purpose only, to show what’s going on behind the scenes of malicious actors and their digital platforms. Everything comes from open and legal sources.

I received an SMS asking me to log in to: auth-rbcroyalbank-online[.]com.

Well, thanks to this scam, I was able to map a wide phishing network targeting Canadian institutions.

Key points:

⏺️ Mostly Russian and Chinese registrars/hosting providers (JSC Selectel, Nicenic…) are involved.

⏺️ Registrant data (names, addresses, phone numbers, etc.) are always bogus.

⏺️ Most of these domains were registered in the past few months, up to September 2024.

⏺️ Multiple pools of IPs are reused for a large number of domains, indicating a possible coordinated operation between several players using a common infrastructure.

⏺️ Top institutions impersonated:

• RBC
• Scotia Bank
• TD bank
• Rogers
• Canada Revenue Agency (CRA)
• CIBC
• Interac
• Canada Post
• Costco