As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses. Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:
Some of the email subjects being used include:
Subject: Renouvellement de votre compte Desjardins
Subject: Solutions en ligne Desjardins
Subject: Veuillez regulariser votre compte Acces
Subject: Desjardins Reactivation
Subject: Reactivation de votre compte AccesD
Each of these URLs is currently resolving to the IP address 5.166.183.135:
hxxp://client.accesd.com-page-reactivation-4955-accesd-desjardins[.]com/web
hxxp://espace.client.accesd.com-page-reactivation-3953-accesd-desjardins[.]com/login
hxxp://connection.desjardins.com-page-reactivation-3953-accesd-desjardins[.]com/id
hxxp://membre.espace.desjardins.com-page-reactivation-1734-accesd-desjardins[.]com/page
hxxp://membre.accesd.com-page-reactivation-5354-accesd-desjardins[.]com/enligne
hxxp://membre.desjardins.com-page-reactivation-5354-accesd-desjardins[.]com/accesd
hxxp://espace.client.accesd.com-page-reactivation-1734-accesd-desjardins[.]com/login
Here is a pictorial walk-through of the phishing website:
We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:
![]()
After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:
![]()
And lastly, the phisher's try to get any and all possible additional information they can!
![]()
Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!
Beware, Canadian friends! And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!
 | |
| <== French Desjardins Phishing Email || Google Translate ==> |
Subject: Renouvellement de votre compte Desjardins
Subject: Solutions en ligne Desjardins
Subject: Veuillez regulariser votre compte Acces
Subject: Desjardins Reactivation
Subject: Reactivation de votre compte AccesD
Each of these URLs is currently resolving to the IP address 5.166.183.135:
hxxp://client.accesd.com-page-reactivation-4955-accesd-desjardins[.]com/web
hxxp://espace.client.accesd.com-page-reactivation-3953-accesd-desjardins[.]com/login
hxxp://connection.desjardins.com-page-reactivation-3953-accesd-desjardins[.]com/id
hxxp://membre.espace.desjardins.com-page-reactivation-1734-accesd-desjardins[.]com/page
hxxp://membre.accesd.com-page-reactivation-5354-accesd-desjardins[.]com/enligne
hxxp://membre.desjardins.com-page-reactivation-5354-accesd-desjardins[.]com/accesd
hxxp://espace.client.accesd.com-page-reactivation-1734-accesd-desjardins[.]com/login
Here is a pictorial walk-through of the phishing website:
We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:
After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:
And lastly, the phisher's try to get any and all possible additional information they can!
Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!
Beware, Canadian friends! And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!