Proofpoint researchers identified an increase in credential phishing campaigns attempting to steal German banking credentials. Since the end of August 2021, Proofpoint researchers observed multiple high-volume campaigns leveraging customized, actor-owned landing pages spoofing major German banks, notably Volksbank and Sparkasse. The activity is ongoing and continues to impact hundreds of organizations.
The campaigns targeted multiple industries, specifically German companies and employees of foreign entities located in Germany. Each campaign included tens of thousands of messages impacting hundreds of organizations. The phishing emails purport to be account administration information and contain links or QR codes that direct the victim to a geo-fenced credential harvesting page. Targeted information includes banking branch data, login identification, and PIN.
Figure 1: Email samples containing QR code (left) and link to spoofed website (right).
The threat actor has used multiple URL redirection techniques to deliver the malicious links. In several observed campaigns, the threat actor leveraged compromised Wordpress websites to redirect users to the phishing landing pages. Abusing Wordpress plugins and websites running Wordpress software is a common technique used by threat actors to distribute malicious links for phishing and malware attacks. Additionally, researchers observed both Feedproxy URLs and QR codes used to redirect to the phishing pages.
The threat actor leverages geo-fencing techniques to ensure only users in Germany are redirected to the phishing page. Proofpoint assesses with high confidence the threat actors are conducting IP geolocation checks to identify a target’s location. If they are not in Germany, the user is directed to a clone of a website purporting to be tourist information for the Rhine Tower in Dusseldorf, Germany. If a user is in Germany, they will be directed to a webpage masquerading as a legitimate banking website.
Figure 2: Actor hosted pages spoofing legitimate banking websites.
The user is encouraged to choose their Branch location and click “Login” to be directed to the credential capture page, spoofing the legitimate banking site.
Figure 3: Actor hosted banking credential capture web pages.
The actor hosts these pages on their own actor-controlled infrastructure using similar domain naming patterns. For example, the Sparkasse credential phishing URLs often start with “spk-” while Volksbank clones begin with “vr-”. The following are a sample of the domains used by this threat actor:
Typically, the actor uses the domain registrar REG.RU, with domains hosted via AliCloud (Germany) GmbH. The first domains associated with this activity appeared in late August 2021. The actor/s is/are consistently registering new domains in the identified URL structure and the campaigns are ongoing.
Proofpoint is not able to attribute this campaign to a known threat group. However, registrant information associated with multiple domains observed in some this activity is linked to over 800 fraudulent websites, most of which spoof banks or financial services. Domain registration indicates this actor may have been focused on targeting users of Spanish banks earlier this year.
Cybercriminal threat actors associated with banking credential theft and fraudulent financial activity tend to be opportunistic and target large numbers of victims. This is typically referred to as “spray and pray” activity, sending mass email campaigns in the hopes some of the targeted individuals fall for their scams.
Subscribe to the Proofpoint Blog