The Threat Actors That I’ve Been Tracking Have Moved To Using TD For Their Phishing Campaign
Let me get you up to speed in case you’re tuning in for the first time.
I’ve been tracking a group of threat actors who started using Questrade and then Wealthsimple along with TD and finally the National Bank on two occasions to try and phish credentials from unsuspecting users in order to drain their bank accounts dry. And whomever is behind this campaign has got some degree of skill as for the most part, they have sent convincing phishing emails and have built convincing websites to back up those emails.
It now seems that the threat actors are back to using TD to try and pull off their scam based on this email that my honeypot got:
If this email looks familiar, that’s because it’s the same text that was used by the last National Bank phishing email. Only now it’s branded for TD. Which means that it’s the same threat actor at work here. Now when I tried to access the phishing website, it had already been shut down. But it was hosted by the same Chinese hosting company that hosted the second phishing attempt made by these scammers. Now to be clear, just because it is hosted by a Chinese company does not mean that the threat actors are Chinese. Though it would not surprise me if they were.
This likely means that my honeypot will see some more action. Though I have to wonder how long this campaign will continue. I guess I will find out.
UPDATE: A few minutes after posting this, my honeypot this email claiming to be from National Bank. Clearly the threat actors are flipping back and forth between banks in hopes of getting more victims.
This entry was posted on November 14, 2025 at 9:28 am and is filed under Commentary with tags Scams. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The Threat Actors That I’ve Been Tracking Have Moved To Using TD For Their Phishing Campaign
Let me get you up to speed in case you’re tuning in for the first time.
I’ve been tracking a group of threat actors who started using Questrade and then Wealthsimple along with TD and finally the National Bank on two occasions to try and phish credentials from unsuspecting users in order to drain their bank accounts dry. And whomever is behind this campaign has got some degree of skill as for the most part, they have sent convincing phishing emails and have built convincing websites to back up those emails.
It now seems that the threat actors are back to using TD to try and pull off their scam based on this email that my honeypot got:
If this email looks familiar, that’s because it’s the same text that was used by the last National Bank phishing email. Only now it’s branded for TD. Which means that it’s the same threat actor at work here. Now when I tried to access the phishing website, it had already been shut down. But it was hosted by the same Chinese hosting company that hosted the second phishing attempt made by these scammers. Now to be clear, just because it is hosted by a Chinese company does not mean that the threat actors are Chinese. Though it would not surprise me if they were.
This likely means that my honeypot will see some more action. Though I have to wonder how long this campaign will continue. I guess I will find out.
UPDATE: A few minutes after posting this, my honeypot this email claiming to be from National Bank. Clearly the threat actors are flipping back and forth between banks in hopes of getting more victims.
Share this:
Like this:
Related
This entry was posted on November 14, 2025 at 9:28 am and is filed under Commentary with tags Scams. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.