QR Code Phishing Campaign Targets Chinese Citizens Using Fake Official Documents
- Chinese citizens are targeted with QR code phishing campaigns via Microsoft Word documents.
- Cybercriminals mimic official documents to steal sensitive data like personal and financial information.
- The code redirects users to randomly generated malicious websites where they are asked to input their details.
A recent phishing campaign targeted Chinese citizens by embedding QR codes in false official documents impersonating the Ministry of Human Resources and Social Security of China, a Cyble report says. The threat actors invoke identity verification and authentication processes to obtain users’ bank card details and passwords.
This campaign distributes Microsoft Word documents containing QR codes as spam email attachments. The files, which are well-crafted and look authentic, pose as official notices offering labor subsidies of over 1,000 RMB. If people who open the attachment take the bait, they give away their sensitive information to hackers.
The QR code leads to a phishing site where the potential victim is asked to enter their name and national ID as part of the fake application process. Once the information is submitted, a second page designed to steal detailed bank card information like card number, phone number, and balance invokes identity verification and application processing.
To add a sense of legitimacy, the phishing site asks the user to wait for the submitted information to be “verified” and then asks for the user’s bank card password, which gives the actor access to the victim’s money.
The cybercriminals use a Domain Generation Algorithm (DGA) to create a series of seemingly random new domain names for the phishing URLs, which sidesteps malware-detection solutions that block specific domain names and static IP addresses.
The QR code directs to the link “hxxp://wj[.]zhvsp[.]com,” which redirects to a DGA-created subdomain, “tiozl[.]cn,” which is hosted on an IP address associated with multiple other domains – “2wxlrl.tiozl[.]cn,” “op18bw[.]tiozl.cn,” “gzha31.tiozl[.]cn,” “i5xydb[.]tiozl.cn,” and “hzrz7c.zcyyl[.]com.”
Security researchers discovered the SHA-256 fingerprint of an SSH server host key associated with the IP address is linked to 18 other IPs hosting URLs with similar patterns. All these IPs are within the same AS8075 Autonomous System Number (ASN) and are located in Hong Kong.