U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A phishing campaign targets clients of German banks using QR codes

Cofense researchers discovered a new phishing campaign using QR codes targeting German e-banking users in the last weeks. Threat actors continue to use multiple techniques to avoid detection and trick recipients into opening phishing messages, including the use of QR codes. The messages used in a campaign recently discovered by cybersecurity firm Cofense use QR codes […]

QR code phishing 2

Cofense researchers discovered a new phishing campaign using QR codes targeting German e-banking users in the last weeks.

Threat actors continue to use multiple techniques to avoid detection and trick recipients into opening phishing messages, including the use of QR codes.

The messages used in a campaign recently discovered by cybersecurity firm Cofense use QR codes to deceive users of two Geman financial institutions, Sparkasse and Volksbanken Raiffeisenbanken, and steal digital banking information.

QR code phishing

The phishing messages are carefully crafted, the content was well-structured and features bank logos. Threat actors used different social engineering tricks to deceive the recipients, such as asking them to consent to data policy changes implemented by the bank or requesting them to review new security procedures.

Upon clicking on the button included in the message, the recipient is redirected to the phishing landing page passing through Google’s feed proxy service ‘FeedBurner.’ Threat actors behind this campaign have been registering their own custom domains for both redirection and as final phishing sites. 

Namy newly domains have been registered with the Russian registrar REG.RU, in order to avoid raising suspicion the domain names follow a standard URL structure depending on the targeted financial organization.

hxxps://{spk/vr}-{random German word(s)}.com/{10 alphanumeric characters} where (“spk” for Sparkasse or “vr” for Volksbanken Raiffeisenbanken)

However, in recent attacks, crooks used QR codes instead of the buttons asking the recipients to scan them. The use of QR codes making it hard for email filters to flag the messages as malicious.

QR code phishing 2

“The phish sites are fairly similar. Users are first asked for either the location of their bank or its BLZ bank code, and then for the corresponding user name and PIN. Once this information is provided, a loading page will ask the user to wait for validation before displaying the log in page once more, this time warning that the credentials are incorrect, a common phishing tactic.” reads the analysis published by Cofense.

When the recipient enters the requested information on the phishing page, he waits for validation and then is prompted to enter their credentials once more because the incorrect are not correct. This is a common trick in phishing attacks to prevent that the victims make typos when enter the credentials for the first time.

Cofense published indicators of compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

[adrotate banner=”5″]

[adrotate banner=”13″]