QR Code Phishing Attacks Escalate: Sophisticated Campaign Targets Chinese Citizens

A new wave of cybercrime is sweeping across China, exploiting the convenience and widespread use of QR codes. A comprehensive report by Cyble Research and Intelligence Labs (CRIL) has revealed a sophisticated phishing campaign that targets unsuspecting citizens with fraudulent documents disguised as official notices from the Ministry of Human Resources and Social Security. This alarming trend underscores the evolving tactics of cybercriminals who are leveraging QR codes, once considered a harmless tool, to deceive and defraud unsuspecting victims.

The Scam Unveiled

MS Word file containing QR code | Image: CRIL

The scam begins with a seemingly innocuous email containing a Word document that appears to be an official notice for applying for labor subsidies. The document instructs recipients to scan an embedded QR code to claim their subsidy, a seemingly routine procedure in today’s digital age. However, this is where the trap is sprung. The QR code doesn’t lead to a legitimate government website, but rather a meticulously crafted phishing site designed to mimic the real thing.

Once on the fake website, victims are led through a series of steps that require them to enter their personal information, including their full name, national ID, bank card details, and even their bank card passwords. This sensitive data is then harvested by cybercriminals, who can use it to carry out unauthorized transactions, leaving victims vulnerable to financial losses.

A Growing Threat

Similar MS Word file with zero detection | Image: CRIL

CRIL’s investigation unearthed a complex web of interconnected phishing sites and malicious files, all linked to this campaign. The sheer scale of the operation, with many of the malicious files evading detection, suggests a well-organized and widespread threat. This discovery highlights the increasing sophistication of cybercriminals, who are constantly adapting their tactics to exploit new technologies and vulnerabilities.

The landing page entices the user by displaying a dialogue box on a phishing website, offering a labor subsidy. When the user proceeds to claim the subsidy, they are redirected to another page that prompts them to enter personal information, including their name and national ID.

After the user provides their name in Chinese and their national ID, the website presents a page with information about card binding, which is required for further payment processing following a successful application. As the next step, the user is prompted to enter their card details, including the bank card number, phone number, and bank card balance. This information is requested under the guise of identity verification, but the threat actor will collect it to perform unauthorized transactions.

After collecting the entered card details, the phishing site displays a dialogue box indicating that the information is being verified and requests the user to wait for 2-3 minutes before proceeding to the next step. The phishing site then presents a dialogue box with instructions that, as part of the verification process, the user will need to provide their bank card password for authentication. It then loads a phishing page prompting the user to enter their withdrawal password.

CRIL suspects this withdrawal password is the same as the payment password used by banking users for domestic credit card transactions. By using the harvested bank card details along with the collected withdrawal password, the threat actor can conduct unauthorized transactions, leading to financial loss for the user.

Staying Safe in a QR Code World

As QR code phishing attacks continue to evolve, individuals and organizations must remain vigilant. Cybersecurity awareness is key, and users should be educated about the risks associated with QR codes. Some essential tips for staying safe include:

• Exercise caution when scanning QR codes, especially those received through unsolicited emails or messages.
• Use QR code scanners that display the destination URL before visiting the site.
• Be wary of requests for personal information, especially through QR codes.
• Keep your software updated, including antivirus and anti-malware programs, to protect against malicious QR codes.