Cybersecurity experts have spotted a phishing campaign incorporating a QR code. French companies are targeted.
A QR Code phishing campaign was discovered and reported to numerous companies by cybersecurity companies Sekoia and Vade. Sekoia notably published a report in October for potential targets. In it, she details the modus operandi of cybercriminals.
The three QR Code phishing campaigns target professional email linked to the Microsoft Office 365 suite and are believed to still be ongoing.
The criminals rely on a famous phishing kit platform called “Dadsec”. It allows you to create a fake site – in this case a copy of Microsoft 365 – with the associated QR code. It is possible to add the logo of the targeted company to add more legitimacy to the email. The subject of the messages may be a purported financial transaction or an accounting report. The fraudulent site will usually be in English, as the hackers haven’t bothered to translate.
Double authentication bypassed by hackers
“ The main advantage of a QR code is that it allows you to bypass multi-factor authentications », Indicate Sekoia analysts. Concretely, the malicious site will come between the user and the Microsoft service. When the Internet user tries to identify himself to consult the document, Microsoft will send a request, materialized by a connection token, to authenticate.
The fraudulent platform acts as a relay between the target and Microsoft, and will allow the cybercriminal to recover this token, which will connect to the target’s account. The identifiers will be stolen without the victim’s knowledge.
For Sekoia analysts, the campaign primarily targets companies in the financial sector. The objective would be fraud, sales of identifiers, documents or scams to enrich oneself.
“ Companies are increasingly equipped to block ordinary phishing. Cybercriminals are now using new methods to bypass multi-factor authentication methods. We come across very popular phishing kit platforms today which provide all the traps in hand for cybercriminals » explain the cyber experts to Numerama.
The recommendations remain the same: check the URL of the site you are visiting, do not click if in doubt and take the time to contact your colleague if their message is out of the ordinary.
Subscribe for free to Artificielles, our newsletter on AI, designed by AIs, verified by Numerama!