On May 28, 2018, news reports started to surface about a data breach affecting two CIBC (Canadian Imperial Bank of Commerce) subsidiaries – BMO (Bank of Montreal) and Simplii Financial. The reports stated that a data breach had occurred and that 90,000 customer records had been leaked. Hackers demanded a ransom of 1,000,000 Ripple XRP cryptocurrency (roughly about $750,000) or they would release the data into dark web black markets and sites.
Here is our analysis of how the hacker performed this breach and tried to extort these bank branches based on the digital breadcrumbs this hacker left behind.
The Rise of Extortion Attacks Against Banks
Before we get into the details of this breach, it’s important to note the growing trend of extortion attacks against banks in this new age of data privacy laws. Given the large fines for GDPR laws and massive data breach incidents in the US in 2017 that drew attention from the Senate, we believe attackers will try to leverage a company’s fear of similar incidents, like in this case with the BMO and Simplii Financial breach.
Regulation fines and brand reputation damage can be way more costly than downtime or lost data. Therefore, organizations are willing to pay more to not have a breach disclosed to the public, rather than pay to regain access to their data. Hackers will leverage this fear as a tactic to get more money.
BMO and Simplii Financial Breach Overview & Timeline
As far as we know, the breach began around, or prior to, January 2018. In the hacker’s email to the bank, he claimed that he breached the BMO site around January 2018, and after BMO half-patched the issue, he hacked the site again sometime after January 2018. As for Simplii, he doesn’t state any specific date, but judging from his email, he seems to have succeeded in hacking their site early-to-mid May.
From our data, we saw some unusual phishing domains directed to both BMO and Simplii websites around February and May 2018 (Figures 1, 2 and 3). We suspect that these sites were setup with the intent to acquire customer data to be used as testing accounts for the later, larger breach. We saw more phishing attacks aimed at Canadian banks from this domain (Figure 4).
(Figure 1: CIBC, Simplii, and BMO phishing sites found in IntSights’ system)
(Figure 2: hxxp://woelrkhelkprf[.]info/revenuecanada.secure.interac.online.ca/banks/Simplii/ - Simplii phishing site)
(Figure 3 - hxxp://woelrkhelkprf[.]info/revenuecanada.secure.interac.online.ca/banks/BMO/indexx.php – BMO phishing site)
(Figure 4: hxxp://woelrkhelkprf[.]info/testing123/ - Test phishing site from the same domain aimed at Canadian bank brands)
The woelrkhelkprf[.]info domain was active around May 14, 2018 for a short period of time, and then went offline.
On Sunday, May 27, 2018, at 4:36 the hacker sent an email to the bank, informing them of the breach. The email came from the address: firstname.lastname@example.org suggesting a Russian origin, but this could have been intentionally misleading. The email itself was written in good English, but with some notable mistakes. We believe that the purpose of these mistakes was to blur the true origin of the hacker. The email describes the method of attack on BMO and Simplii. The attacker took advantage of weaknesses in the session cookie used to authenticate users to the site. Abuse of the “Forgot Your Password” page helped him exfiltrate the data.
For more information on the specific steps the hacker took to exfiltrate this data, please download our full summary and timeline report of the BMO and Simplii breach.
On May 28, one day after the email was sent, an unknown person (probably the hacker, but not necessarily), posted a link on Simplii Financial’s Facebook page. The link led to a paste site containing 100 accounts from the breach. The link was deleted on the same day, and the paste site data was deleted, but our system kept the data from that paste site (Figure 5).
(Figure 5: Leaked account data from the paste site)
Before we conclude, there is one more interesting issue to address: Simplii Financial is a new brand under CIBC. It was called PC Financial beforehand, which stands for President’s Choice Financial – a banking arm of the Canadian supermarket chain, Loblaw Companies. PC Financial and CIBC had a 20-year record of cooperation, until in August 2017, PC had decided to sell its banking arm to CIBC and keep its credit card business.
This is important, as the Simplii Financial website is relativity new (it has existed for less than a year), and the site has suffered the same vulnerability as the BMO site. This raises the suspicion that the Simplii site was built on the same web infrastructure as the BMO site.
Whether it was for economic reasons, simplicity and uniformity of design, or sheer laziness, the Simplii site was flawed because it was based on a flawed design, one that runs many years back. This could have been avoided had there been any involvement of cybersecurity tools and tests in the process of building the new site.
There are a number of ways that BMO and Simplii Financial could have prevented this breach and some important steps all banks should take to prevent similar attacks from happening. To see our full list of recommendations, please download our full BMO and Simplii Breach: Summary & Timeline Report.