A phishing campaign targets clients of German banks using QR codes

Cofense researchers discovered a new phishing campaign using QR codes targeting German e-banking users in the last weeks.
Threat actors continue to use multiple techniques to avoid detection and trick recipients into opening phishing messages, including the use of QR codes.

The messages used in a campaign recently discovered by cybersecurity firm Cofense use QR codes to deceive users of two Geman financial institutions, Sparkasse and Volksbanken Raiffeisenbanken, and steal digital banking information.

The phishing messages are carefully crafted, the content was well-structured and features bank logos. Threat actors used different social engineering tricks to deceive the recipients, such as asking them to consent to data policy changes implemented by the bank or requesting them to review new security procedures.

Upon clicking on the button included in the message, the recipient is redirected to the phishing landing page passing through Google’s feed proxy service ‘FeedBurner.’ Threat actors behind this campaign have been registering their own custom domains for both redirection and as final phishing sites.

Namy newly domains have been registered with the Russian registrar REG.RU, in order to avoid raising suspicion the domain names follow a standard URL structure depending on the targeted financial organization.

hxxps://{spk/vr}-{random German word(s)}.com/{10 alphanumeric characters} where (“spk” for Sparkasse or “vr” for Volksbanken Raiffeisenbanken)
However, in recent attacks, crooks used QR codes instead of the buttons asking the recipients to scan them. The use of QR codes making it hard for email filters to flag the messages as malicious.

The phish sites are fairly similar. Users are first asked for either the location of their bank or its BLZ bank code, and then for the corresponding user name and PIN. Once this information is provided, a loading page will ask the user to wait for validation before displaying the log in page once more, this time warning that the credentials are incorrect, a common phishing tactic.” reads the analysis published by Cofense.

When the recipient enters the requested information on the phishing page, he waits for validation and then is prompted to enter their credentials once more because the incorrect are not correct. This is a common trick in phishing attacks to prevent that the victims make typos when enter the credentials for the first time.

Cofense published indicators of compromise (IoCs) for this campaign.

Source: Security Affairs