Quishing Campaign Targets Chinese Citizens via Fake Official Documents

Security

Individuals in China have been targeted by a QR code-based phishing (quishing) campaign which uses QR codes in fake official documents to deceive victims, according to new research by Cyble Research and Intelligence Labs (CRIL).

As part of the campaign, Microsfot Word files masquerade as official documents from the Chinese Ministry of Human Resources and Social Security. CRIL security researchers believe the files are distributed via spam email attachments.

The document used in this campaign presents itself as a notice for applying for labor subsidies, claiming to offer subsidies above 1000 yuans ($138) for registered bank cards. It directs users to use their mobile phones to scan a QR code for authentication and to receive the subsidy.

Financial Information Theft

When the user scans the QR code in the Word document, they are directed to a URL with the subdomain “tiozl[.]cn”, which has been generated using a Domain Generation Algorithm (DGA). This URL hosts a phishing site that impersonates the Ministry of Human Resources and Social Security. 

The landing page entices users by displaying a dialogue box on a phishing website, offering a labor subsidy.

When the user proceeds to claim the subsidy, they are redirected to another page that prompts them to enter personal information, including their name and national ID. 

Cyble researchers have assessed that the goal of this quishing campaign is to collect financial information, including credit card details and passwords in order to conduct unauthorized transactions.

The IP address hosting the domain is associated with five additional domains, suggesting they are all linked to the same phishing campaign.

QR Code Phishing on the Rise

Cyble noted that QR code phishing has significantly increased over the past few years.

For instance, the threat intelligence firm cited the Hoxhunt Challenge, which revealed a 22% increase in QR code phishing during the latter part of 2023. 

According to Cyble, there are several reasons explaining this trend, including:

  • The recent widespread adoption of QR codes, especially since the COVID-19 pandemic
  • The integration of QR code scanners into smartphones
  • The rise of mobile payment systems
  • The opaque nature of QR codes, which, unlike traditional hyperlinks, do not reveal to the user the destination URL they redirect to

QR Code Phishing Mitigation Recommendations

Cyble provided a list of recommendations to mitigate the QR code phishing threat. These include:

  • Only scan QR codes from trusted sources. Avoid scanning codes from unsolicited emails, messages, or documents, especially those claiming to offer financial incentives or urgent actions
  • After scanning a QR code, check the URL carefully before proceeding. Look for signs of legitimacy, such as official domains and secure connections (https://)
  • Install reputable antivirus and anti-phishing software on your devices. These tools can help detect and block malicious websites and downloads
  • Use two-factor authentication (2FA) for your online accounts whenever possible
  • Keep your operating systems, browsers, and applications up to date with the latest security patches. This helps protect against known vulnerabilities
  • Use QR code scanner apps that include security features, such as checking the URL against a database of known malicious sites before opening it
  • Review your bank and credit card statements regularly for unauthorized transactions. Report any suspicious activity to your bank immediately

Products You May Like

Articles You May Like

Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
Chinese APT Group Targets Telecom Firms Linked to Belt and Road Initiative
Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Leave a Reply

Your email address will not be published. Required fields are marked *