We have recently blogged about KrebsOnSecurity's story on compromised Canadian business email addresses. Here is some updated background on threats to Canadian organizations.
Since January 2019, nearly one hundred phishing campaigns have been tailored specifically for Canadian targets, according to researchers at Proofpoint.
Attackers are spoofing a number of well-known Canadian companies and organizations, and are using French-language phishing lures to increase their chances of tricking Canadian victims. Most of these campaigns are run by financially motivated criminals, although some are launched by nation-state actors.
The two most common malware strains used in these campaigns are Emotet and Ursnif, both of which are banking Trojans used to steal information and deliver additional malware. Other types of malware targeting Canada include banking Trojans like IcedID, Trickbot, and Dridex, the GandCrab ransomware, and the Formbook keylogger. The Proofpoint researchers stress that the rise in targeted Emotet attacks is particularly notable, and should serve as a warning to Canadians that they need to be on the lookout for more than just generic phishing spam.
“In 2019, threats specific to Canadian interests, whether abusing Canadian brands, or affecting Canadian organizations through specific geo-targeting mean that defenders at Canadian companies must be cognizant of threats far more targeted than ‘North America,’” the researchers write. “Banking Trojan and the Emotet botnet lead the pack, creating risks for organizations and individuals with compelling lures and carefully crafted social engineering. While Canada-targeted threats are not new, Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada and beyond.”
These targeted phishing campaigns are in addition to hundreds of other untargeted campaigns that have impacted Canada this year. Users need to be constantly vigilant in order to identify attackers’ attempts to deceive them. New-school security awareness training can give your employees the knowledge they need to defend themselves against these attacks.
Free Phishing Security Test
Find out what percentage of your employees are Phish-prone™
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here's how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Customize the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organization compares to others in your industry
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: