Cybersecurity | Montreal at the heart of the online fraud ecosystem

Montreal is home to a veritable small industry of online banking fraud, hidden away in anonymous messaging forums. Hackers collaborate to rob their victims and cash in considerable gains, up to $600,000 a year, show private investigators who have infiltrated these “bazaars” of cybercrime.

Hugo Joncas
The Press

“The big banks are all hit,” says Pierre-Luc Pomerleau, partner at Vidocq. The company, which helps them prevent these crimes, paints a portrait of a true “ecosystem” of fraud in Quebec in a report published on March 10.

To sell stolen information, cybercriminals invest in encrypted applications such as WhatsApp, Signal, Discord and ICQ, but especially Telegram.

In order to observe the cybercriminals at work, Vidocq agents have infiltrated “more than a thousand” forums for online fraudsters.

For sale: phishing methods, as well as stolen personal information to take control of bank accounts. Credit card security numbers, personal identification numbers, security questions… Some offer or buy “fullz”: in the jargon, this is all the personal data needed to connect to a compromised account.

An important minister of the Legault government also paid the price in December, when a hacker put his credit file at TransUnion on Telegram for sale, as revealed The Press February 24. We have preserved the identity of the chosen one, who would not have shown any negligence.

“A typical ad includes a screenshot of the account to be hijacked (which reveals the type of account and its balance) and the asking price for that information,” Vidocq’s report explains. A price typically expressed in bitcoins or another cryptocurrency such as ethereum.

“When we see a screenshot of a profile with one of our clients, we send it to the financial institution concerned,” says Pierre-Luc Pomerleau. The bank can then monitor the account and block the fraudulent transaction that is brewing. “We saw comments from some buyers who wondered why it wasn’t working,” he says. The fraud is then sabotaged.

Homegrown cybercriminals

For six weeks in 2021 and 2022, Vidocq was able to observe three particularly prolific fraudsters, presumably from Quebec. Under the eyes of his agents, the hackers exchanged information to compromise and empty no less than 428 accounts, only during this period.

The income they receive through fraud appears to be considerable. They could have banked between US$20,000 and US$27,000 each in just 3 weeks.

At this rate, the most efficient of them would therefore be able to earn more than C$600,000 per year.

If they are the most prolific, the three fraudsters described by Vidocq in his report are far from alone. The Telegram chat groups where investigators observed them gather up to 1342 different users. Among them, many Montrealers.

“Vidocq noted that, when members of a forum report infiltration attempts by the authorities, they tend to refer to the Sûreté du Québec rather than to any other police force,” its report states.

Its analysts also noted “expressions typical of French-speaking Quebecers, such as ‘Jsp’, an abbreviation for ‘I don’t know'”.

“The Montreal region unfortunately seems to have become a ‘hot spot’ for fraudsters attacking financial institutions and their customers across the country,” said Pierre-Luc Pomerleau, in an interview with The Press.

Vidocq couldn’t determine why exactly, but she believes the bilingualism factor contributes to it. Hackers can thus understand security questions, authentication forms in French, and not only in English.

Cryptocurrency “mule” accounts

To “empty” the bank accounts of their victims, fraudsters enter into relationships with other hackers who control stolen cryptocurrency accounts on platforms like Coinbase and Shakepay.

These bitcoin accounts serve as “mules”. Fraudsters use Interac email transfers to send their victims’ funds and cover their tracks.

In exchange, the cybercriminal who controls the stolen bitcoin account receives a hefty commission of up to half of the amount embezzled.

Desjardins and National Bank less affected

If the problem is generalized, Vidocq has made an astonishing discovery: the two biggest players in Quebec, Desjardins and the National Bank, seem less affected.

Pierre-Luc Pomerleau does not have a clear explanation, but he formulates a hypothesis: “Perhaps the fraudsters do not want to attack financial institutions in their region,” he says. A cybercriminal is therefore less likely to end up with stolen information from a cousin or mother-in-law.

Perhaps they also focus on the larger banks with English-speaking customers because they represent a larger pool of potential victims.

But there is probably something else, thinks Pierre-Luc Pomerleau.

After the theft of data on 9.7 million people experienced by Desjardins in 2019, Desjardins Group invested heavily in security and implemented new means of avoiding fraud, such as voice recognition. These investments may have reduced the attractiveness of its customers to fraudsters.

At Desjardins, spokesperson Chantal Corbeil reports that the number of frauds recorded by the Movement in 2021 is down 4.5% compared to 2020 and the amounts misappropriated are down 12%.

“The most targeted financial institutions should review their authentication controls and the management of their online accounts to thwart the modus operandi of these fraudsters,” says Pierre-Luc Pomerleau.

Vidocq preferred not to name the most affected banks in his report.

The firm points out that the police would do well to use undercover investigation techniques to combat this type of crime.

“Intelligence on fraudsters could support the authorities’ criminal investigations, which are sorely lacking at the moment,” Vidocq’s report asserts.

The Sûreté du Québec and the Montreal police did not answer our questions.

For his part, Pierre-Luc Pomerleau ensures that the police can count on his collaboration. “If the police contact us on this, Vidocq has no problem working with them. »