FortiGuard Labs stumbled upon a phishing campaign that has been using multiple QR codes to target Chinese language users, in an attempt to pilfer their credentials.
Diving into details
The email consists of a Microsoft Word document attached to it and spoofs the Chinese Ministry of Finance.
- Opening the attachment presents some text and a large QR code in the center. The code leads to a URL, which, in turn, leads to a website controlled by the attacker.
- This website is a spoof of a DingTalk instance, an enterprise communication platform, which prompts the victim to enter their credentials and effectively steals them.
Why this matters
Threat actors and criminals find credentials to be a valuable resource as they can gain direct access to a victim's applications or environment. These credentials may be used directly by the attacker or sold to another group for their operations. This particular phishing campaign highlights the fact that attackers are making a significant effort to make their landing pages appear realistic and to convince victims to lower their defenses.
Chinese users targeted previously
Earlier this month, the Chinese RedZei scammers were targeting Chinese international students in the U.K.
- Also known as RedThief, the gang conducted a visa scam tricking the students into paying huge amounts of money to avoid being deported.
- The campaign involved calling the targets once or twice a month using a unique U.K phone number. There was also a provision for automated voicemail in case the calls went unanswered.
The bottom line
Regardless of the attacker's intentions, it is clear that these types of attacks will continue to be widespread, warned FortiGuard Labs. QR code phishing attacks can be difficult to detect and can have serious consequences for individuals and organizations. It's important for users to be aware of the potential risks of QR codes and to take precautions when scanning codes from unknown sources.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5a72_shutterstock_737319256_malware.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9e33_shutterstock_1242230830.jpg)
