Abnormal discovered and blocked nearly 200 emails received to our clients between September 15, 2021, and October 13, 2021, which were all part of a phishing effort aiming to acquire Microsoft credentials. That was not unusual in and of itself, as Microsoft 365 login information is one of the most sought-after sets of credentials.
What makes these communications distinct is that they included QR codes that provided access to a missed voicemail, so evading the URL scan function for email attachments found in secure email gateways and native security safeguards. Because all of the QR code pictures were made on the same day they were delivered, it is unlikely that they were previously reported and would be recognized by a security blocklist. Six distinct identities were utilized to deliver messages for the campaign, with the majority tailored to seem linked to the target’s sector.
The attackers exploited hacked email accounts to carry out their plan, utilizing the target organization’s genuine Outlook infrastructure to distribute the QR codes itself. The phishing websites at the conclusion of the QR code scans were hosted on a corporate survey service and were linked to IP addresses from Google or Amazon.
Between September 15 and October 13, Abnormal reported blocking over 200 emails as part of a phishing effort.
- Hackers attempted to entice unwary users by sending messages with QR codes that provided access to a missed voicemail.
- When victims attempt to play the voice message, they are led to a bogus Microsoft landing page that encourages them to provide their credentials.
An earlier version of this communication, issued in September, included a URL link buried beneath a picture of what seems to be an audio file. While this commonplace method was utilized fairly creatively, it was eventually spotted and classified as a threat by another security service, which was bad for the criminal actors.
Criminals utilized hacked Outlook accounts to give credibility to phishing emails, allowing them to avoid email security checks. To host the phishing sites, they used corporate survey services linked to Amazon and Google IP addresses. The QR code pictures were reportedly created on the same day that the emails were sent, most likely to prevent prompt reporting and being banned by security systems.
A substantial number of people conduct crypto transactions using QR codes linked to crypto accounts. Here are some methods that hackers have used in the past to steal bitcoin from victims.
Scammers were discovered in August demanding money from consumers by enticing them to visit a Bitcoin ATM at a petrol station loaded with a rogue QR code. The Better Business Bureau was alerted to a number of similar occurrences, involving utility services and job offers, among others.