Support 416-591-6711 option 1 or Email Us

Canada’s Not-So-Polite When it Comes to Fighting Malware

Fri, 14 Jun 2019

Malware is a big, costly problem for Canadian citizens and, even more so, for Canadian companies. Research conducted in 2018 gauged the average cost of cybercrime to a Canadian company at upwards of $12 million.[i] According to interviews with over 175 senior leaders at companies across Canada, malware and socially engineered cyberattacks were most to blame for those attacks.[ii]  

Canada's Not-So-Polite When it Comes to Fighting MalwareCanadian businesses documented an average of 75 cyber incidents in 2018 – that translates to 1.5 attacks each week. Those incidents can be expensive to deal with and to recoup from, with disruption to business costing approximately $4 million and loss of information valued at $5 million plus. A global study, which surveyed more than 2,600 security and IT professionals at 355 organizations worldwide, found that costs due to malware spiked 11 percent in 2018, to an average of $2.6 million per company, compared to 2017 costs.[iii] The Canadian Government has decided to fight back against malware.

The Canadian Government Gets Tough About Malware

Canada's anti-spam legislation (CASL) was instituted in 2015, aiming to protect “consumers and businesses from the misuse of digital technology, including spam and other electronic threats. It also aims to help businesses stay competitive in a global, digital marketplace.”[iv] The CASL covers more than junk email. Section Seven of CASL targets the modification of transmission data, including botnet activity. Section Eight involves the covert installation of programs on computers or networks, including malware. Additionally, Section Nine bans an individual or organization from helping, inducing, or purchasing any of the above acts.

“We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware,” says CRTC Director Neil Barratt. “We have great power in CASL and Section Nine makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”[v]

Now, the Canadian government regulators are kicking it up another notch and using the CASL legislature to pursue hefty fines, some up to $1 million, against citizens who are suspected of assisting in the spread of malware. Businesses found to be violating the CASL can be fined up to $10 million. Barratt states, “We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere.”[vi]

The Purveyors of Malware

Barrett highlights that “One of the key takeaways of CASL was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks.”[vii] 

Following that legislature’s logic, in March of this year, the Canadian Radio-television and Telecommunications Commission (CRTC) executed a search warrant in connection with the RCMP at the residence of John “Armada” Rezvesz, a Toronto software developer. Rezvesz is behind the Orcus Remote Administration Tool (RAT), a legitimate product that’s been abused and used in numerous malware attacks since it was created in 2015. It’s technically legit software, yet the Orcus RAT includes multiple features typically seen in Remote Access Trojan malware - such as DDoS-for-hire abilities and the ability to turn off the light indicator on webcams to not alert the target. [viii]

Barratt says that the “CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages. The installation of software is under Section Eight, and this is one of the first major investigations under that statute.”[ix]

Recently, the CRTC enforcement division also took action against two corporations, Datablocks Inc. and Sunlight Media Network Inc., for violating Section Nine of the CASL by “disseminating online ads that caused malicious computer programs to be downloaded onto the computers of unsuspecting victims.”[x] Online ads are a primary method for disseminating malicious software “by serving ‘malvertising’ advertisements that are ‘booby-trapped’ to cause the unauthorized installation of exploit programs that permit the installation of second-stage malware (e.g. ransomware and Trojans) to conduct malicious activities.”[xi] As a result, Datablocks was fined $100,000, and Sunlight Media was penalized $150,000.[xii] The two companies are also being closely scrutinized. 

The Chief Compliance and Enforcement Officer of the CRTC explained: "As a result of Datablocks and Sunlight Media's failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians' online safety."[xiii]

Datablocks and Sunlight Media got off relatively easy. The companies weren't being careful enough, but they weren't acting maliciously. In the US, Office Depot and just got slammed with a $35 million fine for malvertising. These two companies were the direct benefactors from the malvertising because the ads claimed consumer’s computers were infected so they would be motivated to buy in-store computer repair services. The FTC stated that “The companies tricked customers into buying millions of dollars’ worth of computer repair and technical services by deceptively claiming their software had found malware symptoms on the customers’ computers.”[xiv] This goes far beyond the harmless and annoying spam and pop-ups that ruin the user experience and into a profoundly unethical business model. This is the type of inappropriate business behaviour the Canadian government is fighting against with the CASL. 

What You Can Do About Malware

The Canadian government is looking out for its citizens, but citizens need to do their part too. is an excellent resource from the Government of Canada. The website has educational materials, the latest threats to be aware of, as well as a place to report malware and spam.  

If you’re a shareholder in a Canadian business, you need to ensure that your business is compliant with CASL legislation. Be wary that your digital presence not only makes you a target for malware but can also be used to target your customers. Ensure your company has adequate cybersecurity measures in place so that you neither succumb to nor inadvertently spread malware.


‹ Back