Cofense Logo - Email Security Solutions

German Users Targeted in Digital Bank-Heist Phishing Campaigns

Share Now


“Phish Found in Environments Protected by SEGs” Microsoft EOP, FireEye, Proofpoint

By Elmer Hernandez, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) has recently encountered persistent efforts from threat actors against German banking users. Our analysts have been tracking these campaigns over the last couple of weeks and encountered everything from FeedBurner abuse to the use of QR codes to deceive users and steal digital banking information. Two main financial institutions have been particularly targeted: Sparkasse and Volksbanken Raiffeisenbanken.

The pretences used in the emails vary. From supposed messages waiting in a user’s electronic mailbox (Figure 1), to asking for consent to changes implemented by the bank or requesting that users familiarize themselves with new security procedures (Figure 2). The end goal in any case is the same: Lure users to log into the banking website and provide their credentials to attackers.

Graphical user interface, application Description automatically generated

Figure 1 – Sparkasse email 1

Graphical user interface, application Description automatically generated

Figure 2 – Sparkasse email 2

Delivery tactics were just as varied. Most common was the use of compromised domains as redirection URLs and phishing sites. Attackers were also observed abusing Google’s feed proxy service FeedBurner for redirection as seen in Figures 3 and 4. More recently, however, attackers have been registering their own custom domains for both redirection and as final landing sites. If the user location is not in Germany, they will be redirected to a different page (Figure 5).

Graphical user interface, text, email Description automatically generated

Figure 3 – Volksbanken Raiffeisenbanken email with FeedBurner redirect

Graphical user interface, text, application, chat or text message Description automatically generated

Figure 4 – FeedBurner redirect to Malicious Site