TD Canada Trust EasyWeb Phishing

Dear Customer:

Your Secure login details seem to have been compromised.

Any email that starts out in this vein should cause you to be extremely suspicious. As a case in point, the opening above comes from a TD Canada Trust Phishing fraud attempt that we recently intercepted.

The message itself looks like this:

Subject: TD Internet Banking Security

From: TD Canada Trust <security@easyweb.com>

To: [redacted]

Dear Customer:

Your Secure login details seem to have been compromised.

Please log in to the secure link below, and verify your security

details to avoid an unecessary suspension of your account.

We may call you to verify any information, and such calls may include
computer-generated speech

To log in and verify your account click on the Security link:

EasyWeb-SECURITY

Thank you.
Customer Service
TD Group Financial Services.

A few notes about the message before we get to the good part:

  1. The spoofed “From:” address¬† is “TD Canada Trust <security@easyweb.com>”. However, none of the message headers indicate that it was ever anywhere near a server associated with “easyweb.com”.
  2. The “TD Canada Trust – EasyWeb” logo is the real logo from tdcanadatrust.com displayed through the magic of HTML.
  3. The “EasyWeb-SECURITY” link above actually goes to the bogus web site so don’t click it unless you have good, up to date anti-virus software. (6/15/2010 – Update: link removed)

All of this is pretty normal for a fraudulent email Phishing campaign.

What’s outstanding about this one is the quality of the login page it links to.

Here is the page for the identity theft Phishing site:

TD Canada Trust Phishing Site

Click to view full size version

And this is the real TD Canada Trust EasyWeb login page:

TD Canada Trust EasyWeb Login Page

Click to view full size version

The Phishing page that attempts to trick users into providing their real username and login is an almost exact replica of the real TD Canada Trust login page. Some of the differences might be due to the “Phish Bait” page being lifted from an older version of the TD Canada Trust page, and others are modifications made by the con artist spammer.

For example, The real page lists a phone number that you can call to have your password reset. Apparently this Phisher didn’t want to go the the bother of setting up a fake phone number and staffing it (what a pain). However, they also don’t want you to actually call TD Canada Trust and let them know that you’re about to¬† be a victim of identity theft either, so this section is intentionally missing from the copycat site.

Almost all of the links on the fake page go to tdcanadatrust.com except for the ones that require a login. All of those link right back to the fake login page.

You should also notice that if you look at the address bar in the screen-shot of the fake page, the address is:

http://www.microscopix.ch/album/Update/banking.html

But if you look at the address for the real login page it’s:

https://easyweb.tdcanadatrust.com/

While it’s true that many financial institutions host login pages at domains that have nothing to do with their marketing domains (note to banks: don’t do this, it makes phishing easier) it’s rare that they use a domain in a completely different country. The “microscopix.ch” domain is on the top level domain for Switzerland, presumably because Switzerland = banking in most people’s minds so it makes sense for TD Canada Trust to have you log in on a Swiss domain.

In this case it was pretty simple to just go to “tdcanadatrust.com” and click their login link to see where it went. Guess what. It doesn’t go to Switzerland.

Also worth noting is the fact that the fake site uses “http://”, that is, it’s not encrypted, even if this was the real page it would be a bad idea to log in using an unencrypted page like this. The real page uses “https://” and indicates that the page is encrypted (since we used Firefox, encryption is indicated by the blue highlighted domain name at the left end of the address bar and the yellow lock in the status bar at the bottom of the browser window).

All in all this is a pretty good attempt, and a lot better than a number of others we’ve seen recently.

Just in case you got one of the less sophisticate ones, the following is a list of subjects and from addresses for some of the others:

Subject: You have a message in Your Inbox

From: TD CANADA TRUST <Securityalert@tdcanada.com>

Subject: TD Canada Trust Bank Survey QJRPRKRVWE

From: “TD Canada Trust Bank”<EasyWebTD@secure.com>

Subject: 1 new message.

From: “TD Canada Trust Bank”<EasyWebTD@secure.com>

Subject: Your online account needs resolution

From: “TD Canada Trust”<accounts@tdcanadatrust.com>

Subject: Resolve Your Internet Banking.

From: TD Canada Trust <easyweb@td.com>

Subject: You have received 1 new message waiting in your inbox folder.

From: “TD Canada Trust”<security@td.com>

Subject: Resolve Your Internet Banking.

From: TD Canada Trust <easyweb@td.com>

Subject: New Security Upgrade

From: TD Canada Trust <secure@tdcanadatrust.com>

Subject: Important Notice

From: “TD Canada Trust”<onlinebanking@tdcanadatrust.com>

Tired of weeding out scams like this? Our spam filtering service can do it for you.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

4 Responses to “TD Canada Trust EasyWeb Phishing”

  1. Barb says:

    I had recieved a call this evening from a # 18774246062 and I believed they had called themselves some kind of rewards dept. I had thought they said TD at first. They were
    very hard to understand being that the person I had spoken with had a very strong accent.
    They said that I had accumalated many points for rewards. “This struck me funny for I don’t have any point cards”. Anyway I continued to listen to what they had to say and they told me I had won an offer of a trip to florida for so many nights for a group of 4, but first to recieve this outstanding package for only 699.00(that was to be paid imediately of course) then they would mail me all the tickets and package information. After saying No to the offer the man hung up on me. I have his name and another name from this scam!

  2. Marc says:

    I have recently received a similar email regarding to verify my TD Canada account details; it was a bogus email to acquire my bank details. I found out by the following:

    1) It was sent to one of my email addresses that is not associated with TD.
    2) Hovering over the link in the email led to a ‘co.uk’ registered domain. I copied and pasted the link, only containing the top-level domain. Luckily, website had already been suspended.
    3) Banking institutions always provide the full name in an email, if it is not provided, it is most likely a scam!

    If anyone ever receives an email from your banking institution regarding to verify anything whatsoever, always contact customer service, provided from your account statements in the mail, NEVER from the email. If in doubt, print the email and forward the information to your bank.

    Until everyone knows how to combat these scams, phishing will continue feeding off the gullible ones.

  3. Fred says:

    Thanks for the post, whoever is doing had hacked into one of my client’s website about a month ago and created their own CMS and were placing it on their site, at this url: http://www.ticorealty.com/cms/images/canada_trust-easyweb/canada_trust-easyweb/easyweb/index.html

    We have since then deleted that CMS but it looks like the hacker had taken advantage of a bug that was in the older version of Joomla.

    We certainy apologize that those a-holse were able to hack into our site and were using our site which is legitimate for that purpose.

    Moral of the story, update your website and the CMS often.

  4. OnlyMyEmail Anti-Spam Team says:

    If it makes you feel any better, your site was probably just one of many that got hacked:) You are absolutely correct about keeping your website and especially third party content management systems like Joomla up to date. There are people out there with nothing better to do than write tools to find vulnerable CMSs and crack them:(