Distribution of Qshing Emails Disguised as Payslips

by Prapattimynk, Friday, 2 February 2024 (3 weeks ago)
Distribution of Qshing Emails Disguised as Payslips


AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of Qshing emails impersonating the Ministry of Finance of the People’s Republic of China. Qshing is a compound noun from the words “QR code” and “Phishing” that leads to a malicious app being installed or directs users to a phishing site when a QR code is scanned.

The email being distributed is shown in Figure 1 and is disguised as a paycheck receipt confirmation for the first quarter of 2024. The content includes a message that prompts the user to scan the QR code using a mobile phone to receive the wage subsidy.

Figure 1. The original version of the distributed email (left) and the translated version (right)

The threat actor disguised the sender email address with “ahnlab.com”, but the actual sender email address can be seen in the email header. Yet as users do not usually check the email header, it is difficult for them to realize that the sender email address has been forged.

Figure 2. The actual sender email address

When users scan the QR code in the email body, they are sent to the following link and ultimately redirected to a phishing site.

  • URL linked to the QR code: 2024127[.]ltd
  • Redirected URL: hxxps://km.pvncs157[.]sbs/ or hxxp://dfxa.hwkltou.yoanka1r[.]sbs/

The redirected page checks the horizontal width of the browser. If this value is larger than 996 pixels, the page determines that the access is coming from a PC environment then prompts users to visit the page via mobile devices.

 

Figure 3. Checking the horizontal width of the browser
Figure 4. Message prompting users to visit the mobile page

When the condition for the browser width is met, the page deems that the users have visited the page with mobile devices and directs them to the phishing website. A notification pop-up with a message related to receiving a subsidy is displayed on the website as shown in Figure 5.

Figure 5. Notification window prompting users to click the button

Upon clicking the button on the notification window, users are directed to a page that prompts them to enter their personal information. The page in question prompts to enter the user name and ID number to sign up for the subsidy. When users actually enter their personal information, it then asks for additional information such as credit card numbers, phone numbers, and passwords. The input user information is sent to the following URL.

  • hxxp://dfxa.hwkltou.yoanka1r[.]sbs/home/index/xyk.html
Figure 6. Page prompting users to enter their information

As shown in the details covered above, the threat actor attempts attacks using various techniques such as Qshing and email spoofing. The exfiltrated information can lead to secondary damage such as financial losses, so users must be particularly cautious when opening emails.

[IOC Information]
2024127[.]ltd
hxxps://km.pvncs157[.]sbs/
hxxp://dfxa.hwkltou.yoanka1r[.]sbs/
hxxp://dfxa.hwkltou.yoanka1r[.]sbs/home/index/xyk.html

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.