The IT Nerd

Let me get you up to speed in case you’re tuning in for the first time.

I’ve been tracking a group of threat actors who started using Questrade and then Wealthsimple along with TD and finally the National Bank on two occasions to try and phish credentials from unsuspecting users in order to drain their bank accounts dry. And whomever is behind this campaign has got some degree of skill as for the most part, they have sent convincing phishing emails and have built convincing websites to back up those emails.

It now seems that the threat actors are back to using TD to try and pull off their scam based on this email that my honeypot got:

If this email looks familiar, that’s because it’s the same text that was used by the last National Bank phishing email. Only now it’s branded for TD. Which means that it’s the same threat actor at work here. Now when I tried to access the phishing website, it had already been shut down. But it was hosted by the same Chinese hosting company that hosted the second phishing attempt made by these scammers. Now to be clear, just because it is hosted by a Chinese company does not mean that the threat actors are Chinese. Though it would not surprise me if they were.

This likely means that my honeypot will see some more action. Though I have to wonder how long this campaign will continue. I guess I will find out.

UPDATE: A few minutes after posting this, my honeypot this email claiming to be from National Bank. Clearly the threat actors are flipping back and forth between banks in hopes of getting more victims.

My honeypot is getting a lot of action over the last week. I say that because it has led me a threat actor who has used  Questrade and then Wealthsimple along with TD and finally the National Bank to try and phish credentials from you in order to presumably drain your bank account.

Today it seems that National Bank are again the target of threat actors who are tying to phish you. And what is interesting about this phishing campaign is that it directly mentions phishing campaigns. See for yourself:

That is an email that I received in my honeypot this morning. Now if it is the same threat actors that are behind the other phishing emails, this is pretty clever. They appear to banking on the fact that people might have gotten a few of their previous emails and recognized that they are phishing attempts. Thus they might be more receptive to this one offering to do “cybersecurity verification.” Whatever that is. I say that because there’s a lot of mumbo jumbo in here that has little to no basis in reality. Since it doesn’t name the recipient, and it comes from an non National Bank email address as evidenced by this:

Then you can be 100% sure that it is a phishing email. And in case you were wondering, this is the site that they send you to if you click the link:

This is one of those high quality replications of the website that I saw with the previous phishing scam. The only thing that gives it away is that the URL is clearly not the National Bank. Which makes me believe that the same threat actors are behind this new campaign. What that shows is that these threat actors are evolving. Which means that you need to evolve to avoid being their next victim.

I have been tracking a threat actor who has used first Questrade and then Wealthsimple as part of a large scale phishing campaign that is being carried out via email. Well, my honeypot, which is a computer that I have set up to capture emails and be a target for hackers so that I can gather intel on what the bad guys are up to, have caught a new twist in this campaign. This time the threat actors are using TD bank to perpetrate their scam. This popped up in my honeypot a few minutes ago:

Now I won’t go down the rabbit hole on how the campaign works as I have done this in the first part my research. But I will note that these threat actors are getting sloppy. The quality of this email is not as good as the other ones which makes me wonder how effective this will be. Having said that, the fact that these threat actors are still trying and are shifting tactics implies that they must be having some level of success. Your task is to make sure that you’re not part of whatever success they are having. Thus this is another email that you should instantly delete if you get it.

After posting this story about an ongoing large scale Questrade phishing campaign, I checked my honeypot and discovered that the same threat actors behind this campaign are also going after Wealthsimple customers. That’s evidenced by this phishing email:

Now this email is extremely similar to the one that was being used in the Questrade campaign. And walking through the phishing scam, I found the website that was created was of similar quality as the one behind the Questrade campaign. I say was because it has been taken down by its host which appears to be based in China. While that suggests that the threat actors are Chinese, it is possible that the threat actors are from someplace else and are using a Chinese web host for cover. The emails are very similar as well which seems to point to the fact that these are the same threat actors are behind both campaigns.

My honeypot has received these emails as recently as 4 hours ago. So this is clearly an ongoing campaign that will likely evolve. Thus keep your head on a swivel to ensure that you don’t fall victim to one of these campaigns.

A threat actor is engaged in a large scale phishing campaign that is targeted at Questrade customers. The campaign starts with this email:

Now this all looks and sounds official. But it isn’t. When you look at the “Renew Your Form W-8BEN” link, you’ll note this:

While the link says Questrade in it, it clearly isn’t Questrade as the website isn’t going to someplace that Questrade controls. Instead it’s going to a website that the threat actor controls. Now rather than going down the rabbit hole of what is the goal of this campaign, I let Virus Total do it for me:

This appears to be a phishing campaign aimed at stealing your Questrade credentials. Not good. That is confirmed by going to the URL itself. Which by the way, you should never ever do:

This is an excellent replication of the real Questrade website as evidenced here:

It even has the text “Tip: Always double check the URL of log-in pages to keep your account secure” in it. Which if you follow their advice, you can recognize this as a phishing attempt.

I have seen a few dozen of these emails hit my honeypot recently. So this is a large scale phishing campaign. Likely being done by someone who is sending emails out by the thousands hoping to catch 1% of the recipients out and score a big payday as a result. Because scams don’t have to be successful in volume to be successful.

But we’re not done yet, there’s a second Questrade phishing email making the rounds:

The lure is different as it is trying to get you to fall for the scam by getting you to set up 2 factor authentication. But the net result is the same. It is trying to send you to a replication of the Questrade website that will steal your Questrade credentials, and your money along with it.

For the record, if you can use 2 factor or multi factor authentication for your accounts, it would make them way more secure. Questrade has instructions to set that up here.

Here’s the bottom line. If you you get one of these emails, delete it and move on with your life because it is clearly a scam. And a large scale one at that.

The Wall Street Journal reported today on a billion-dollar scam that is linked to gift card fraud. 

That’s scary.

As the 2025 holiday shopping season approaches, an alliance of leading retailers, card networks, and law enforcement agencies has launched a nationwide social media campaign to combat the alarming surge in gift card fraud. The campaign, led by the Gift Card Fraud Prevention Alliance (GCFPA), aims to educate, empower, and protect consumers during the busiest shopping time of the year.

From October 1 through December 25, holiday shoppers will see daily tips and information on the latest scams on LinkedIn and Instagram platforms, spotlighting the tactics scammers use and steps every consumer can take to avoid falling victim. This collaborative effort marks a landmark partnership among industry giants, national and state retail associations, and public safety organizations, all dedicated to protecting the public from gift card-related crimes.

How to Get Involved

Consumers are encouraged to follow the RILA Communities Foundation on LinkedIn and @ProtectMyGiftCard on Instagram for daily tips and updates throughout the campaign. For more information or to report a scam, contact local law enforcement, state attorney general’s offices, or visit the Federal Trade Commission’s website. 

The wildfires in Los Angeles and surrounding areas have left residents and businesses vulnerable to exploitation by scammers looking to take advantage of them for financial gain, to steal their identities, and other fraudulent activities. Here’s a few examples from the news that illustrate what I am talking about.

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:

“Enterprises with geo-location settings used for authentication validation purposes should adjust their models to acknowledge those employees forced to evacuate their home.

“Major catastrophic events like the fires in California bring out kindness and empathy from many people who are not victims for days following the event. Unfortunately, these events also bring out cyber criminals seeking to capitalize on the victim’s misfortune by designing phishing emails supposedly from FEMA, fire officials or other state and local agencies offering relief options. We recommend:

1.      Review your passwords for key accounts/sites and consider improving the complexity of the password (use a password manager and ensure that you have access to it from all devices)

2.      Read email messages closely and identify the origin of the sender’s email address

3.      Avoid clicking on links in email messages unless you are certain of the validity of the sender

4.      Print a list of emergency numbers to keep handy and include the FEMA Fraud Hotline:

1.      To protect yourself from fraud and identity theft, we encourage you to be careful when sharing your personal information.

If you believe you are a victim of identity theft, or someone applied to FEMA using your personal information, please call 800-621-3362. Do not contact the FEMA Fraud Investigations and Inspections Division, DHS Office of Inspector General, or the National Center for Disaster Fraud for the purpose of reporting identity theft.

Report any other types of disaster fraud by emailing StopFEMAFraud@fema.dhs.gov. For more information, visit the disaster fraud page.

5.      Employees and third parties will be forced to access networks from different locations using potentially different devices. Increase staffing levels of IAM ops staff to address the needs of storm victims and expand call coverage

6.      Advise employees to consider donations to the American Red Cross and other disaster relief organizations that are well established vs. newly formed entities specific to the California fires.”

James McQuiggan, security awareness advocate at cybersecurity company KnowBe4:

“The fires in Los Angeles County have caused significant loss of homes and property, leaving many residents vulnerable to exploitation. Scammers often prey on homeowners facing challenges with their insurance providers, posing as fake adjusters, offering fraudulent services, or ways to get money fast to start rebuilding. These schemes often involve promises of quick resolutions in exchange for upfront payments or steep fees. Some may claim they can prevent insurers from dropping coverage, adding to the stress of an already difficult situation. 

“Homeowners should confirm the identity of any insurance representative by contacting their provider directly and avoid making hasty decisions or signing agreements without proper verification. Outside of LA, individuals moved by the destruction will be targeted by fake donation campaigns or fraudulent grassroots donation platforms. Scammers create convincing appeals, often using AI-generated synthetic images to portray fabricated victims or destroyed homes. These scams manipulate people’s emotions and ask for donations quickly. 

“People looking to help should prioritize verified charities with established reputations and avoid sharing financial information through requests or unverified crowdfunding campaigns. Careful research and communication with the proper and recognized organizations can ensure that contributions are used for legitimate relief efforts.

“Disaster-related scams are not new and have appeared after hurricanes, floods, and earthquakes, following a similar pattern of urgency and emotional manipulation. The tactics remain consistent: leveraging heightened emotions and telling stories to exploit our human nature. It’s essential to remain cautious and somewhat skeptical during such events. Taking the time to verify claims, conducting research, and educating others can significantly reduce the effectiveness of these schemes. Awareness is critical to prevent fraud from happening based on the devastation of these events and ensure that support reaches those who need it most during their time of need.”

So the question becomes how can you help and not get scammed. Here’s a list that I’ve complied:

California Community Foundation

California Fire Foundation

L.A. Fire Department Foundation

Pasadena Humane Society

Ventura County Community Foundation

American Red Cross of Greater Los Angeles

Center for Disaster Philanthropy

Direct Relief

World Central Kitchen

Any assistance to any of these organizations is appreciated.

With Black Friday approaching next week, I have collected some thoughts from cybercrime expert Rafe Pilling, Director of Threat Intelligence for the Secureworks Counter Threat Unit, about scams that youmay see this upcoming holiday season and how to stay secure. First some commentary from Rafe:

“The sense of urgency around limited time deals coupled with the excitement of the holidays makes Black Friday a prime opportunity for cyber criminals. Every year we see an uptick in attacks based on significant consumer events including Black Friday. There is a sense of urgency created by a ‘limited deal’ shopping window which can mean our usual checks and guards get set aside in favour of trying to secure the best deal.” 

“From imitating the marketing we get, to SEO poisoning, to fraudulent delivery updates, there are a number of touch points cyber criminals can exploit. And with the growing use of AI, scam emails can be more convincing than ever, mimicking brands we trust to sidestep our normal defenses. As you look to cash in on the deals this Black Friday, don’t forget to prioritize your protection.”

Top 7 Tips for Staying Secure:

1. Verify Email Sender: Check the sender address of any email that sends you a deal. Look for misspellings of domain names or discrepancies between the display name and the actual sender email address. Be especially wary of emails from retailers you do not recognize or have not previously used.
2. Don’t just click: Some deals can be too good to be true. Beware of lookalike sites that offer deep discounts and hard-to-find products. Even if a website or email looks legitimate, open a new browser whenever possible to visit the real eCommerce site directly rather than clicking on links through an email or on high-ranking websites on search engines – these can be manipulated to prioritize fake and fraudulent sites.
3. Delivery scam danger: Be cautious about text messages claiming to provide details on purchase deliveries. Scammers frequently send SMS phishing links under the guise of delivery notifications or delivery fee payment requests. Never click links provided via SMS. Refer back to original emails you have received or retailer apps detailing how to track your package.
4. Watch Your Bank Accounts: Sign up for fraud alert notifications from your bank/card provider. This safeguards you against scams that falsely claim there has been unauthorized activity on your accounts in order to trick you into divulging your account login and password. 
5. Add Security to Your Store Accounts: Use multi-factor authentication on all accounts that will allow it and a strong, unique password for every site. This can significantly reduce the chances—if your credentials do get stolen—of cybercriminals being able to use them to access your personal information, bank details or to conduct fraudulent transactions.
6. Download cautiously: Malware infections can occur via malicious advertising (‘malvertising’) or third-party code running on ecommerce sites, so visitors get infected through no fault of their own. Never let a website bully you into running downloaded software or calling a tech support hotline.
7. Control App Permissions: Only download mobile apps from authorized app stores. Even then, be aware of what permissions they are asking for. Apps that ask to access your text messages, contact lists, or passwords should be treated as highly suspicious. Remove any apps that you don’t need or don’t use any more.

I get all sorts of emails and calls from people who have been scammed that are in need of my help. A lot of these scams are ones that I have seen before. But one that I came across recently was really different. And because of that, I want to tell you about it so that you’re aware that scam exists, and as a result you can protect yourself accordingly.

The client out of the blue got an Interac deposit into their bank account. The client had auto deposit turned on, meaning that there doesn’t need to be any human intervention to have the money go straight into someone’s bank account. Thus $700 in this case, just magically appeared in their bank account. The client didn’t recognize the email address that sent the money and found that to be odd. But things escalated from there when less than 24 hours later, the client gets a request for $700 to be withdrawn from her bank account from the same email address that sent the $700 in the first place. There was a note saying that there was a deposit the day before and that was a mistake. As a result the person who sent the money wanted the sender to send the money back to them. One thing that was interesting was that the sender claimed that they were 1 letter off in terms of the email address. Another thing that was interesting was that the sender claimed to have talked to a relative who is a CFO at TD Bank which is one of the “big five” banks in Canada and that CFO directed them to do this. The client was highly suspicious so they called me for help.

Now there’s a bunch of things that I immediately spotted as red flags. Here’s the list:

• The client had this all happen by email. And the client had an email address that had no relation to their name or anything like that. In fact the email address is a Hebrew word that isn’t commonly known to most of you reading this unless you’re part of the Israeli or Jewish diaspora. And to be sure that the client isn’t a target for anything else, I won’t disclose what that word is. In any case, to be one letter off on this sort of email address would be impossible given the circumstances. What’s more likely to be the case is that they were targeted for this scam somehow.
• I find it impossible to believe that the sender would happen to have a relative who is a CFO of TD Bank who would direct them to take this course of action. What’s more probable is that this was a means to gain the client’s confidence so that the scam would be more likely to succeed.

So, what is the actual scam? Based on some research, here’s what is likely going on:

• Someone’s bank account either via phishing or some other means gets hacked.
• Once inside that bank account, the threat actor uses Interac to transfer money from that hacked bank account to a victim that unwittingly accepts the money into their bank account.
• Some time later the threat actor asks for the money back claiming that it was a mistake. And the victim sends the money believing that this was a mistake.
• Unknown to the victim, there’s a fraud investigation going on in relation to the hacked bank account. And when the money is tracked down days, weeks, or months later to the victim’s bank account, the bank will withdraw the stolen money from the victim’s bank account to return it to the rightful owner. Except that the victim has already sent money to the threat actor under the assumption that this was a mistake. So the victim is out the money and the threat actor wins.

I advised the client to call their bank and explain the situation. The client instead asked me to join her at her local bank branch. After having a conversation with first a client service rep, followed by the branch manager, the bank opened a fraud investigation and froze the client’s bank account. The client then filled out a form that said that said that the client didn’t know who this person was who sent them this money. As I type this, the client’s bank account is still frozen. And at the same time, the threat actor keeps pestering them to return “their” money via email. I created a rule in their email client that automatically sent those emails to the trash. But not before telling the threat actor via email that there’s a fraud investigation open and the bank account had been frozen.

Now I am sure that there are many cases where there isn’t a positive ending and that people have lost money due to this scam. Which means that you need to protect yourself from being a victim. The best way to protect yourself is to make sure that you turn off autodeposit. It shouldn’t be on by default. But if you turned it on, I strongly suggest that you turn it off. That way it makes it more difficult for a threat actor to execute this scam as you would have to manually accept the deposit. That brings me to the second means to protect yourself. Which is that if you don’t know the person who is sending you money, you should become suspicious and not accept the deposit. And what will likely happen is that the deposit attempt will expire after a certain amount of time. The end result is that the scam will not be able to be executed and you will be safe. Finally, in the event that a situation like this is actually a mistake. The sender of the funds can escalate with their bank to get the transfer reversed. But to be clear, I am 99% sure that this is not a mistake but a scam.

I’m monitoring this situation as I want to see how this turns out, which is another way of saying that I want to see how long it takes for my client’s life to return to normal. I’ll post an update once I have one. But my advice is to be careful out there because scams are everywhere, and they can hit you at any time.