A new phishing email, purported to be from Microsoft and containing a QR code rather than the traditional phishing links, has been successfully delivered to mailboxes recently.
Recipients were encouraged to “authenticate themselves” within 2 days by scanning the code on a smartphone.
Cyber security specialists have analysed the QR code and the domain linked by the code and have discovered that a hugely sophisticated credential harvesting process commences when scanned.
Having utilised a desktop-based QR code reader, the cyber specialists were able to investigate where the code would direct a user. The user is taken to a version of a login page of Microsoft's forward-facing web pages.
The actors replicated images and even the correct IT service desk phone numbers around the login pane. The only tell-tale sign that the page could be malicious is the URL pane at the top of the page.
Upon entering a password, the user is redirected through various webpages that are almost like-for-like renders of those on genuine Microsoft domains, even allowing the user to click on information and see genuine rendered Microsoft adverts.
Selecting the “Forgot my password” option also takes users to a convincing password reset page, complete with a Captcha section.
The level of detail and sophistication in relation to the rendering of images from an organisation and the mimicking of Microsoft pages is high, and the use of a QR code, coupled with these tactics, increases the chances that a campaign will succeed.
Remediation & Mitigation
After analysing the number of these emails, organisations are advised to block traffic to and from the domain china-goldlink[.]com and to spread awareness of QR codes as an attack vector to all personnel.
At the time of writing, the webpages appear to have been taken offline. However, they are expected to be rotated as per phishing tactics.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).