In the evolving landscape of cyber threats, a new vector has emerged, exploiting the ubiquitous QR codes to lure unsuspecting users into phishing traps. Recently, there has been a significant uptick in malicious documents embedded with QR codes, which, when scanned, redirect users to fraudulent websites designed to steal personal information.
In 2024, QR code phishing attacks have increased, highlighting a growing trend among cybercriminals to exploit this seemingly benign technology to direct users to malicious websites or initiate malware downloads. Notably, the Hoxhunt Challenge revealed a 22% increase in QR code phishing during the latter part of 2023, and research by Abnormal Security shows that 89.3% of such attacks are aimed at stealing credentials.
The increase in QR code phishing can be attributed to several factors. First, the widespread adoption of QR codes, especially during the COVID-19 pandemic, has made them a convenient target. QR codes became popular for contactless transactions, menus, and information sharing, making users more accustomed to scanning them without hesitation. This familiarity creates a false sense of security, making it easier for cybercriminals to exploit.
Second, QR codes can easily mask the destination URL, making it difficult for users to verify the legitimacy of the site they are being redirected to. Unlike traditional hyperlinks that display the URL, QR codes provide no immediate indication of their destination, increasing the likelihood of successful phishing attempts.
Furthermore, the integration of QR code scanners into smartphones and the rise of mobile payment systems have expanded the attack surface. Threat actors can embed malicious QR codes in physical locations, emails, or online documents, broadening their reach and making it harder to track and mitigate these attacks.
Recently, Cyble Research and Intelligence Labs (CRIL) encountered a campaign using Microsoft Word documents for QR code-based phishing attacks targeting individuals in China. These files, which are suspected to be distributed via spam email attachments, masquerade as official documents from the Ministry of Human Resources and Social Security of China.
Figure 1 – MS Word file containing QR code
The document presents itself as a notice for applying for labor subsidies, claiming to offer subsidies above 1000 RMB for registered bank cards. It directs users to use their mobile phones to scan a QR code for authentication and to receive the subsidy.
We identified several additional Word files linked to QR code phishing attacks impersonating a Chinese government agency, with most of these files having zero detection rates. The goal of these QR code phishing attacks is to collect financial information, including credit card details and passwords.
Figure 2 – Similar MS Word file with zero detection
A Fortinet researcher documented a similar campaign in January 2023. In this campaign, QR code phishing attacks impersonated a different Chinese government agency to target users. This campaign has resurfaced, once again targeting users in China to collect financial information.
When the user scans the QR code in the Word document, they are directed to the link “hxxp://wj[.]zhvsp[.]com”. Upon visiting this link, they are redirected to a URL with the subdomain “tiozl[.]cn”, which has been generated using a Domain Generation Algorithm (DGA). This URL hosts a phishing site that impersonates the Ministry of Human Resources and Social Security of the People’s Republic of China.
Figure 3 – QR code displays phishing link upon scanning
Figure 4 – Landing page of phishing site
The domain “tiozl[.]cn” is hosted on IP address “20.2.161[.]134”, which is also associated with five additional domains. Among these, four are subdomains of “tiozl[.]cn” and one is a subdomain of “zcyyl[.]com”. All these domains are linked to the same campaign, hosting similar phishing sites, suggesting a massive distribution effort. The domains are listed below:
Upon further investigation of phishing sites, we observed that the SHA-256 fingerprint of an SSH server host key (bc5d98c0bfaaf36f9a264feefa572e97607eadff6ab70251ddaf59df486d7787) associated with the IP address “20.2.161[.]134” has been utilized by 18 other IPs. These IPs share the same ASN, AS8075, and are located in Hong Kong. Below is a list of IPs hosting URLs with a similar pattern linked to this phishing campaign.
The landing page entices the user by displaying a dialogue box on a phishing website, offering a labor subsidy. When the user proceeds to claim the subsidy, they are redirected to another page that prompts them to enter personal information, including their name and national ID, as shown in the figure below.
Figure 5 – Phishing site prompting for name and national ID
After the user provides their name in Chinese and their national ID, the website presents a page with information about card binding, which is required for further payment processing following a successful application.
Figure 6 – Card binding page on phishing site
As the next step, the user is prompted to enter their card details, including the bank card number, phone number, and bank card balance. This information is requested under the guise of identity verification, but the threat actor will collect it to perform unauthorized transactions.
Figure 7 – Requesting for card information
After collecting the entered card details, the phishing site displays a dialogue box indicating that the information is being verified and requests the user to wait for 2-3 minutes before proceeding to the next step.
Figure 8 – Information verification page
The phishing site presents a dialogue box with instructions that, as part of the verification process, the user will need to provide their bank card password for authentication. It then loads a phishing page prompting the user to enter their withdrawal password, as shown in Figure 9 and Figure 10.
Figure 9 – Phishing page displaying dialogue box with tips
Figure 10 – Phishing page asking for withdrawal password
We suspect this withdrawal password is the same as the payment password used by banking users for domestic credit card transactions. By using the harvested bank card details along with the collected withdrawal password, the threat actor can conduct unauthorized transactions, leading to financial loss for the user.
The rise in QR code phishing attacks highlights cybercriminals’ growing sophistication and adaptability. By exploiting the widespread use of QR codes, especially post-pandemic, these attacks effectively lure users into divulging sensitive financial information. The recent campaign targeting Chinese citizens underscores the threat’s severity, as malicious actors use seemingly official documents to gather card details and passwords, leading to significant financial losses. This trend underscores the importance of heightened vigilance and robust security measures to protect against such evolving threats.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Indicators | Indicator Type | Description |
8462bae8b5ac446fefab66d036696d4c29648052c35edb1ba7057e39808803fa 71f4eaebbd9cccaa2a9ca2575dbf12a420482394 c31837a9c1ed6a540782f63d4f196b11 | SHA256 SHA1 MD5 | MS word file |
hxxp://wj[.]zhvsp[.]com hxxp://ks.ozzlds[.com hxxp://rc[.]nggznm.cn hxxp://ry[.]ngghznm.cn hxxp://web[.]ioomk-1.sbs | URL | URL after scanning QR codes |
2wxlrl.tiozl[.]cn op18bw[.]tiozl.cn gzha31.tiozl[.]cn i5xydb[.]tiozl.cn hzrz7c.zcyyl[.]com web.innki-1[.]sbs web[.]oiiunm-4.sbs web.liooik-2[.]sbs web[.]jneuz-4.sbs web[.]yoopk-4.sbs web[.]ioomil-4.cfd web.miiokn-4[.]sbs wweb[.]muuikj-6.sbs web.ikubzn9-1[.]sbs inb[.]yhuiz-5.sbs admin.yhuiz-4[.]sbs web[.]otuz1-2.sbs fmqe9s[.]ikknzjd.cn wqegi8.skqkkdm[.]cn nhfvhi.skqkkdm[.]cn k7pnec.skqkkdm[.]cn qerxjj[.]uehsht.cn vjym48.uehsht[.]cn y1hc3j.rygwnr[.]cn ofwdfq[.]qttsgzhcn.cn g97hwf[.]okdmzjcm.cn thrrai.okdmzjcm[.]cn f8lhst[.]okdmzjcm.cn xzlky6.uhhsjzn[.]cn rcgali.uhhsjzn[.]cn azure.5atrade[.]cf ahgfus[.]pixqd.cn sfdncx.lppdzna[.]cn cjpb1j[.]lppdzna.cn cqy8ek.poozpd[.]cn fyo63q[.]wiiaks.cn l9qxrr.wiiaks[.]cn yzfpmj[.]wiiaks.cn zcqgtm[.]wiiaks.cn inwp8n.ekksjcm[.]cn xicfpx[.]ekksjcm.cn | Domain | Redirected Phishing domain |
8462bae8b5ac446fefab66d036696d4c29648052c35edb1ba7057e39808803fa 0dd2010270a61fd09b185e8116857d0ff36ce1a22f25d6cb1f0ddb09fa375511 e6f3c3b292e0b28e607131195edbaa00235dd555b4e5d1d7ca44e0d5975c111e b2cb6383ee2e192f3d6adfdab367d876506aa736556dcda5d46257a2801e508c 8551dfdc9dc899815155403d05664eea34e7e4edc950292ee5e7a4edc0a277e9 47ffcfaf7126e90c7abbae83f7e572607df79477a24103ef8ec7aea75f52cb25 6b7bb24281f720c16f626103f019882ca6144a2dc87f83df605861bc59ee6b14 d0a216f854b6849189b66efe7248a27d4ad5a8ae89a838d873392db42964b595 | SHA256 | MS Word file |