Proofpoint experts recently found that credential phishing attempts seeking to obtain German banking credentials have become more common. Since August 2021, Proofpoint analysts have seen many high-volume operations impersonating major German institutions, including Volksbank and Sparkasse, using bespoke, actor-owned landing sites. The action is still going on, and it’s affecting hundreds of organizations.
The commercials were aimed at various industries, focusing on German businesses and foreign people working in Germany. Hundreds of organizations were impacted by each campaign, which comprised tens of thousands of letters. The phishing emails include account administrative information, but they contain links or QR codes that lead to a geo-fenced credential harvesting website. Banking branch data, login identity, and PIN are examples of targeted information.
To transmit the malicious URLs, the threat actor employed a variety of URL redirection strategies. The threat actor used hijacked WordPress websites to reroute visitors to phishing landing pages in multiple campaigns that were identified. Threat actors frequently employ WordPress plugins and websites using WordPress software to propagate malicious URLs for phishing and malware attacks. Researchers also discovered Feedproxy URLs and QR codes being used to redirect to phishing pages.
Only visitors in Germany are led to the phishing website. It is because of the threat actor’s use of geofencing tactics. Proofpoint has high confidence that threat actors are using IP geolocation checks to determine the location of a target. If the user isn’t in Germany, they are sent to a website clone claiming to provide tourist information for the Rhine Tower in Dusseldorf. If the user is located in Germany, they will be led to a website that looks like an actual banking website.
The user is prompted to select their Branch location and then click “Login” to be routed to spoofing the authentic banking site’s credential capture page. These sites are hosted on the actor-controlled infrastructure, which uses a similar domain.
Usually, the actor employs the domain registrar REG.RU, with Al iCloud (Germany) GmbH hosting the domains. In late August 2021, the first domains related to this action surfaced. The actor(s) is/are creating new domains in the described URL structure regularly, and the campaigns continue.
According to Proofpoint, this operation cannot be linked to a recognized threat organization. However, registrant information related to several domains found in some of this activity has been linked to over 800 phony websites, most of which imitate banks or financial institutions. Domain registration shows this perpetrator may have been targeting consumers of Spanish banks early this year.
Today’s threats are aimed at individuals rather than infrastructure. That is why you must approach cybersecurity from a human perspective. It includes user-level insight into vulnerability, attacks, and privilege, as well as customized restrictions that consider individual user risk.