In the last several weeks, a new phishing attack targeting German e-banking customers has been active, employing QR codes in the credential-snatching process. The actors use various techniques to get through security measures and persuade their targets to read the messages and execute the instructions. The related study comes from Cofense researchers, who took a sample of many of these communications and meticulously tracked the perpetrators’ techniques.
The phishing emails have been meticulously designed, including bank logos, well-structured text, and a consistent style. Their subjects range from requesting the user’s approval to the bank’s data policy modifications to requesting that they examine new security measures. This method demonstrates thorough planning since the actors do not make the usual exaggerated claims of account compromise and do not put the consumer in a dangerous scenario.
After going through Google’s feed proxy service ‘FeedBurner,’ the victim lands at the phishing site if the embedded button is clicked. Furthermore, the actors register their custom domains employed for re-directions and phishing sites. This extra step is intended to deceive email and internet security systems into not raising any red lights throughout the phishing process. The domains are freshly registered sites on the Russian registrar REG.RU, and they use a uniform URL structure based on the targeted bank.
In recent phishing attempts, threat actors have been using QR codes instead of buttons to direct victims to phishing sites. These emails do not contain clear-text URLs, instead of using QR codes to obscure them, making it difficult for security tools to identify them. Because QR codes target mobile users, who are less likely to be controlled by internet security technologies, they are more successful.
The victim is asked to input their bank location, code, username, and PIN once they reach the phishing site. If the user enters these data on the phishing page, they will be validated and then asked to re-enter their credentials since they are wrong. This repetition is a usual quality strategy in phishing campaigns to remove typos when users initially enter their credentials.
You should avoid clicking on links, URLs, or even QR codes that lead to an external site, no matter how authentic an email appears to be. Always remember to check the domain you’re on before you start typing when you’re asked to enter your account credentials.