On December 3rd 2018, Rogue Security Labs became aware of a new phishing campaign targeting customers of Toronto-Dominion Bank (TD Bank). The scheme itself is rather generic in nature, using a set URL with different site pages attached to the front end of the website pretending to mock actual pages belonging to TD Bank itself. The scam works by sending a link to the victims email, asking them to visit the website because there has allegedly been suspicious activity on their account. Once there, the user finds cloned copy of TD Banks actual login page, asking customers to enter their username and passwords into the fields provided – which the hacker then logs to compromise their real TD Bank account.
The domain the phishing scheme is tied to (hxxp://studiobythelake.com.au) was registered in Australia on October 15th 2018 by Liam Riles, and has presumably been used to conduct phishing attacks on unsuspecting users ever since. Based on analysis of the scheme and URL’s associated with it, the campaign appears to primarily be targeting TD customers in the UK, Australia and Sweden. Though some of the URL’s have since been edited or taken down, Rogue Security Labs has managed to pick up the following 9 phishing URL’s connected to the primary domain, including:
Example of Phish URL:
TD Bank has been notified of the scam but needless to say be weary of any email sent to your inbox this holiday season. Never go off the look of the page itself, always cross-reference the URL you are accessing the page from. If you come across any suspicious activity, notify your local bank and change your email credentials immediately.