“Phish Found in Environments Protected by SEGs” Microsoft EOP, FireEye, Proofpoint
By Elmer Hernandez, Cofense Phishing Defense Center
The Phishing Defense Center (PDC) has recently encountered persistent efforts from threat actors against German banking users. Our analysts have been tracking these campaigns over the last couple of weeks and encountered everything from FeedBurner abuse to the use of QR codes to deceive users and steal digital banking information. Two main financial institutions have been particularly targeted: Sparkasse and Volksbanken Raiffeisenbanken.
The pretences used in the emails vary. From supposed messages waiting in a user’s electronic mailbox (Figure 1), to asking for consent to changes implemented by the bank or requesting that users familiarize themselves with new security procedures (Figure 2). The end goal in any case is the same: Lure users to log into the banking website and provide their credentials to attackers.
Figure 1 – Sparkasse email 1
Figure 2 – Sparkasse email 2
Delivery tactics were just as varied. Most common was the use of compromised domains as redirection URLs and phishing sites. Attackers were also observed abusing Google’s feed proxy service FeedBurner for redirection as seen in Figures 3 and 4. More recently, however, attackers have been registering their own custom domains for both redirection and as final landing sites. If the user location is not in Germany, they will be redirected to a different page (Figure 5).
Figure 3 – Volksbanken Raiffeisenbanken email with FeedBurner redirect
Figure 4 – FeedBurner redirect to Malicious Site
Figure 5 – Webpage displayed to non-targeted users
These newer phishing sites have the following URL structure depending on the targeted institution (“spk” for Sparkasse or “vr” for Volksbanken Raiffeisenbanken):
hxxps://{spk/vr}-{random German word(s)}.com/{10 alphanumeric characters}
The PDC has seen several examples of these newly registered domains. Notably, most share the same Russian registrar, REG.RU.
In some of the latest emails, attackers are including QR codes that, when scanned, take the user to one of these new malicious domains (Figures 6 and 7) in an attempt to lure mobile banking users.
Figure 6 – QR code for Volksbanken Raiffeisenbanken
Figure 7 – QR code for Sparkasse
The phish sites are fairly similar. Users are first asked for either the location of their bank or its BLZ bank code (Figures 8 and 9), and then for the corresponding user name and PIN (Figures 10 and 11). Once this information is provided, a loading page will ask the user to wait for validation (Figures 12 and 13) before displaying the log in page once more, this time warning that the credentials are incorrect, a common phishing tactic.
Figure 8 – Bank Location or BLZ
Figure 9 – Bank location or BLZ
Figure 10 – Login Page
Figure 11 – Login Page
Figure 12 – Loading Page
Figure 13 – Loading Page
No matter the methods employed by threat actors, Cofense can help you build your managed phishing defense and response platform. We can help you neutralize phishing threats and ensure your organization is protected. With the aid of well-conditioned users and Cofense Reporter, we can boost protection against your business becoming a victim. Contact us today to get started.
IoCs
| Network IoC | IP Address |
| hxxps://spk-kundenumstellung[.]com/5RFANYAORO | 8.209.79.68 |
| hxxps://spk-sicherungssysteme[.]com/AK8SI4TVYD | |
| hxxps://spk-angleichung[.]com/7D2ZJAT8MK | |
| hxxp://vr-neuerungszenter[.]com | |
| hxxps://djbetosom[.]designja[.]com[.]br/wp-admin/volksbanken/vr.de | 162.241.203.81 |
