Researchers recently discovered a large-scale phishing email operation that has been targeting primarily customers of Canadian banking chains since at least 2017.

The emails generally attempt to trick recipients into revealing their credentials on a phishing page that utilizes a lookalike domain and impersonates a log-in screen.

Researchers with Check Point Software Technologies uncovered the scam after coming across one such email impersonating the Toronto-based Royal Bank of Canada (RBC). An analysis of the email revealed a Ukrainian IP address that hosted more than 300 domains imitating RBC and other financial institutions.

“As it turns out, there were many more IP addresses on the same netblock… that were part of a massive infrastructure used to launch phishing attacks that attempt to steal banking credentials from Canadian victims,” said the blog post, adding that “we noticed an overlap with the infrastructure of a phishing attack targeting Canadian businesses reported back in 2017.”

Other financial organizations targeted in the operation included American Express, ATB Financial, BMO Bank of Montreal, CIBC Canadian Imperial Bank of Commerce, Coast Capital Savings, Desjardins Bank, Interac, Scotiabank, Simplii Financial, Tangerine, TD Canada Trust and Wells Fargo. Canadian telecom Rogers Communications was also targeted by the attackers.

The RCB email contained a fake authorization code for renewing a digital certificate for RBC Express, an online banking tool. To incite the recipient into quickly acting, the email warns that the code is valid for only two calendar days, after which time it will expire and the corresponding account will be locked.

Clicking on the link leads to a phishing page that consists of a screenshot of the genuine RBC website, with invisible textboxes placed over the input fields. Once victims fill in their log-in information and hit the sign-in button, the attackers gain access to the credentials.

To look more legitimate, the victim is next taken to a page that instructs users to type in the authorization code that was included in the email. Once this step is complete, the users are told to wait as a digital certificate is supposedly registered for them. There is even a countdown clock to help sell the idea that the certificate registration is being processed.

Check Point shared additional examples of phishing emails and attachments — attributed to the same actor — that featured similar instructions and unique phrasing (including a misspelling of the word “enrollment”). The similarities between phishing emails helped the Check Point researchers gain a sense of the operation’s scope, as well as link newer activity to the older emails. In some instances, the attackers attempted to evade detection by making the PDFs password-protected, with the password included in the e-mail’s body.

Examples included a fake TD Canada Trust email containing a phony digital certificate registration code, a fraudulent communication from a CIBC executive vaguely stating that documents are available for reviewing, and a bogus BMO Bank that urged the recipient to log in to and update his or her “security device” before it is deactivated and becomes unable to authorize transactions.