Mobile phishing scam hits customers at big North American banks

Customers at big banks like Chase, the Royal Bank of Canada, and London-based HSBC are among the targets, researchers said.
A RBC Royal Bank building in Markham, Ontario, Canada. RBC is one of the banks that is seeing its customers targeted with a ransomware scare. (Getty Images)

Nearly 4,000 IP addresses tied to customers of banks in North America and elsewhere have been targeted in a mobile phishing scam to steal login credentials, researchers said Friday.

Customers at big banks like Chase, the Royal Bank of Canada, and London-based HSBC are among the targets. The hackers are exploiting how accustomed users are to receiving text messages from their banks, said analysts at Lookout, a San Francisco-based security company.

“This appears to be a phishing kit that could be easily acquired or purchased from a third party, allowing even less tech-savvy persons to easily set up and operate their own phishing campaign,” Kristin Del Rosso, security intelligence engineer at Lookout, told CyberScoop.

It is unclear what the hackers are doing with any credentials they managed to steal. Crooks often cash in on pilfered credentials by selling them in underground forums. Lookout said it didn’t know if any money had been stolen from the targeted banks.


Lookout has not identified the perpetrator but has notified all of the victims of the activity.

Whoever is responsible is bombarding bank customers with SMS messages directing them to fake login pages where they are asked to cough up their credentials. The campaign began last June and continued through Jan. 22, with the number of victims spiking in late November and mid-January.

“It is unclear why it stopped but given the victim data exposed, it is likely it will surface again,” Del Rosso said in an email.

The attacker has been prolific: 200 phishing pages are involved in the campaign, Lookout said. They are using an automated SMS tool alongside the phishing kit, allowing them to craft their own messages and send them to as many phone numbers as they want.

CyberScoop is requesting comment from all of the banks named in the Lookout blog.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts