Credential phishing attempts seeking to obtain German banking credentials have increased, according to Proofpoint experts.
Since the end of August 2021, Proofpoint analysts have seen many high-volume operations spoofing major German institutions, including Volksbank and Sparkasse, using bespoke, actor-owned landing sites. The action is still going on, and it’s affecting hundreds of organisations.
The commercials were aimed at a variety of industries, with a focus on German businesses and foreign people working in Germany.
Hundreds of organisations were impacted by each campaign, which comprised tens of thousands of letters.
The phishing emails ostensibly contain account administrative information, but they actually contain links or QR codes that lead to a geo-fenced credential harvesting page. Banking branch data, login identification, and PIN are examples of targeted information.
Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with “spk-,” whereas Volksbank clones begin with “vr-.” The domains used by this threat actor include the following:
Typically, the actor utilises the domain registrar REG.RU, with AliCloud (Germany) GmbH hosting the domains. In late August 2021, the first domains related to this action appeared. The actor(s) is/are registering new domains in the described URL structure on a regular basis, and the campaigns are still continuing on.
This operation cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration.
Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims. Sending large email campaigns in the hopes that some of the targeted persons fall for their schemes is sometimes referred to as “spray and pray” behaviour.