Cybercriminals continue to target Canadians – recently with the sending of phishing emails pretending to be Canada Post but actually trying to steal users’ financial information, California-based global online security firm Proofpoint said.
Proofpoint’s senior director of threat research and detection Sherrod DeGrippo said an updated version of the ZLoader banking malware has been used to target not only users of Canada’s mail system but also those working for cities, provincial governments and higher educational institutions. She could not reveal specific details of the last two areas.
“Quite a lot of Canadian city governments,” she said. “ZLoader is focused on stealing financial information.
“It intercepts transactions when you go to your bank.”
Cybercrooks use phishing emails to lure people to fake websites looking like genuine ones a user might use.
“It can steal your credentials when you’re logging in,” DeGrippo said.
The Canada Post lures included notices of mail delivery and notices of delivery attempts, she said.
While Canada Post did not respond to requests for comment, the Canadian Anti-Fraud Centre said, “We do get a variety of reporting on phishing-type campaigns or fraud emails trying to get people to click on links or open attachments. One theme we do see from time to time is ‘package delivery’ not necessarily connected to Canada Post.”
The attacks also engaged in a practice called geofencing, which is the establishing of a virtual perimeter based on geographic boundaries.
“They were specifically looking for Canadian targets,” DeGrippo said.
The attacks appear to be coming from Russian and Eastern Europe, she said.
ZLoader is a variant of an infamous piece of cybercrime tooling, the Zeus banking malware that dates back to 2006.
What such malware does is use so-called "webinjects” to come between a user and the website they are attempting to connect. The goal is to steal credentials and other private information the users utilize to connect with financial systems.
“The malware can also steal passwords and cookies stored in victim’s web browsers. With the stolen information in hand, the malware can use the VNC (Virtual Network Computing) client it downloads to allow threat actors to connect to the victim’s system and make illicit financial transactions from the banking user’s legitimate device,” Proofpoint research said.
The security firm began seeing the updated version in December.
“We are documenting at least one ZLoader campaign per day by a variety of actors primarily targeting organizations in the United States, Canada, Germany, Poland and Australia,” the research said.