Hackers sent mass-emails to the customers of two Canadian banks, encouraging them to submit personal details on a spoof site to win $500.
The cloned site asked the customers of BMO and Desjardins to enter their bank account numbers and passwords.
BMO spokesman Ian Blair and Desjardins spokesman Andre Chapleau said those e-mails also contained a Trojan horse, which was activated when consumers clicked on the link, enabling the hackers to take control of users' computers and steal information.
BMO, which learned of the scam from customers, contacted the internet service provider hosting the spoof site, which immediately shut it down, Blair said. However, that did not deter the hackers.
"Shortly after [the spoofed site was shut down], the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, and asked them to resubmit their information," he said.
Royal Canadian Mounted Police are now investigating the hoax, and BMO has already changed the passwords and other personal information of the 100 or so customers taken in by the scam.
Chapleau said Desjardins had tracked down an ISP in Pennsylvania and had it close down the other spoofed site, adding that the hosting company had tracked the cybercriminals to Russia.
Linda Rosencrance writes for Computerworld