Full Report
Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others drive traffic to phishing pages. [...]
Analysis Summary
# Incident Report: BMO and EQ Bank Impersonation Scams on Instagram
## Executive Summary
This incident details a widespread social engineering campaign involving fraudulent advertisements on Instagram, mimicking legitimate promotions from BMO and EQ Bank to trick users into financial scams. The incident progressed through the placement of high-fidelity, deceptive ads leading to potential financial loss for unsuspecting customers. Banks have responded by actively working with the platforms to remove the fraudulent ads and issuing security warnings to their customer base.
## Incident Details
- **Discovery Date:** Implicitly occurred around the time of reporting, when the ads were active.
- **Incident Date:** Ongoing campaign involving active ads.
- **Affected Organization:** BMO and EQ Bank customers (and potentially the banks themselves due to reputational impact).
- **Sector:** Financial Services (Banking).
- **Geography:** Not explicitly specified, but likely targeting users in regions where these banks operate (e.g., North America).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (During the period the compromised ads were live).
- **Vector:** Social Media Advertising Platform (Instagram Ads).
- **Details:** Attackers placed high-fidelity advertisements on Instagram designed to perfectly mimic official promotions from BMO and EQ Bank.
### Lateral Movement
- **N/A:** This was a direct social engineering/phishing campaign targeting end-users rather than an internal network intrusion requiring lateral movement.
### Data Exfiltration/Impact
- **Impact:** Users clicking the ads may have been directed to phishing pages resulting in unauthorized transfer of funds or direct financial loss.
### Detection & Response
- **Detection:** The article implies detection by external reports or monitoring (e.g., BleepingComputer being informed).
- **Response actions taken:** EQ Bank confirmed awareness, is proactively working with advertising platforms for takedowns, and has advised its entire customer base of the scam's existence.
## Attack Methodology
- **Initial Access:** Social engineering leveraging legitimate platform advertising functionality.
- **Persistence:** Persistence was maintained through active, running fraudulent advertisements on the platform.
- **Privilege Escalation:** N/A (No system compromise).
- **Defense Evasion:** High-fidelity design of the ads used branding mimicry to bypass initial user scrutiny.
- **Credential Access:** Potential for credential harvesting via linked phishing forms.
- **Discovery:** N/A (Used existing institutional branding).
- **Lateral Movement:** N/A.
- **Collection:** Potential collection of financial details or credentials from victims.
- **Exfiltration:** Potential exfiltration of victim funds or sensitive PII/financial data.
- **Impact:** Financial harm to customers.
## Impact Assessment
- **Financial:** Potential financial losses for consumers who fell for the scams.
- **Data Breach:** Potential theft of PII or financial credentials from targeted customers.
- **Operational:** No confirmed operational impact on BMO or EQ Bank infrastructure mentioned.
- **Reputational:** Negative impact on customer trust due to the existence of sophisticated, branded scams on platforms used by the banks.
## Indicators of Compromise
- **Network indicators:** N/A (Specific fraudulent URLs/domains were not listed, but victims should be wary of links from Instagram ads claiming to be BMO or EQ Bank unless verified).
- **File indicators:** N/A.
- **Behavioral indicators:** Observing Instagram ads promoting overly attractive financial deals from BMO or EQ Bank that direct users to non-official domains.
## Response Actions
- **Containment measures:** EQ Bank is working proactively with advertising platforms to request the removal of the fraudulent ads.
- **Eradication steps:** Removal of fraudulent ad content from the advertising platforms.
- **Recovery actions:** Advising customers to exercise extreme caution and verify communications through official channels.
## Lessons Learned
- **Key takeaways:** Sophisticated, high-fidelity impersonation scams remain highly effective on social media platforms, leveraging the trust associated with major brands.
- **What could have been done better:** Social media advertising platforms need more robust, proactive detection mechanisms to swiftly remove misleading brand impersonations, even when posted through paid means.
## Recommendations
- **Prevention measures for similar incidents:**
1. **User Education:** Continuously educate customers on recognizing phishing attempts, emphasizing the need to verify URLs and contact banks directly through known, official channels rather than clicking on links from ads.
2. **Platform Vigilance:** Organizations should monitor advertising platforms regularly for impersonation attempts.
3. **Verification:** Users should always check for official verification badges *and* confirm the destination URL or form belongs to the legitimate organization before submitting any information or funds.