Phishing with QR codes

Don’t Scan or be Scammed

By Maharlito Aquino, Kervin Alintanahin and Dexter To

In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the barcode was to keep track of automotive parts manufactured by Denso Wave. Nowadays, QR codes are applied to a much broader context and are a commonly used to display text to mobile phone users, to connect to a wireless network, open a webpage on a mobile device, and more.

Back in 2021, we reported the resurgence of phishing attacks leveraging QR codes to deliver phishing URLs to customers of a German bank.

Today, we see a new phishing campaign targeting Chinese customers of a mobile payment service. The phishing emails masquerade as notifications of wage subsidies from the Ministry of Finance of the People’s Republic of China, urging recipients to apply immediately.

Figure 1. Phishing email containing a DOCX attachment (translated)

The email contains a DOCX attachment in the OpenXML document format; the attachment provides instructions on how to claim employment subsidies via a mobile payment service that is widely used in Southeast Asia. To ensure everyone’s safety, we have redacted parts of the QR code image in the screenshot below.

Figure 2. Contents of document containing a malicious QR code

Forward: Notice on the Ministry of Finance’s 2022 Personal Labor Subsidy Application Notice

Statement on the 2022 Fiscal Personal Labor Subsidy

  1. According to the joint issue of the Ministry of Finance, the State Administration of Taxation, the State Administration for Market Regulation, and the Administration for Industry and Commerce the “2022 Fiscal Labor Subsidy” is now underway.
  2. Wage subsidy, epidemic subsidy, social security subsidy, medical insurance subsidy, graduate subsidy, living subsidy for intermediate and senior technicians, seniority subsidy, transportation subsidy, medical insurance, unemployment insurance, maternity insurance, etc.
  3. There will be an additional subsidy in the bank account. After receiving the notification, please use your mobile phone to scan the following QR code for verification and collection.

The notice has been delivered to all units last week. If you have not completed the registration, please register as soon as possible. If it is not completed this week, it will be regarded as a waiver of the application!

Scan WeChat and follow the prompts to receive

[QR CODE]

Sponsor: General Office of the State Council Operation and maintenance unit: China Government Network Operation Center

Table 1. Translated body of the document

Once a recipient scans the QR code on a mobile device, their mobile browser opens a link with a .cn domain and is immediately redirected to a .click domain.

Figure 3. Landing page of the malicious QR code

2022 Subsidy Statement

  1. According to the joint issue issued by the Ministry of Finance, the State Administration of Taxation, the State Administration for Market Regulation, and the Administration for Industry and Commerce, the 2022 Subsidy is now available. Wage subsidies, epidemic subsidies, social security subsidies, medical insurance subsidies, graduate subsidies, living subsidies for middle and senior skilled workers, seniority subsidies, transportation subsidies, medical insurance, unemployment insurance, maternity insurance, etc.
  2. There will be an extra subsidy in the bank account. After receiving the notice, you must register to receive it within the same day. Overdue as a waiver
  3. Subsidy owners who have received the notification email, please follow the prompts to bind personal information for authentication and collection

Table 2. Translation of the landing page prompt

Clicking on the prompt loads the following phishing page.

Figure 4. Phishing page targeting China UnionPay QuickPass Users

Entering an invalid bank card number will result in a prompt that translates to “The bank card number you entered is incorrect!”

Figure 5. Error Prompt When Entering an Invalid Bank Card Number

When a valid bank card number is entered, the user is redirected to another page that requires additional information, which is commonly used to update banking information through customer support.

Figure 6. The Phishing Page Gathering User Account Info

This phishing site includes a lot of data validation, especially for the most important data, the bank card number.

It is also worth noting that when the link from the QR code is accessed from a desktop browser, the user is prompted to use a mobile phone to access the link, as shown below.

Figure 7. Error prompt clicking the QR code with a desktop browser

Indicators of compromise 

SHA256 or URLDescriptionCyren Detection
4b77112e58e805c6d231a10d6f2a2c16f860457f296c8518f727e3423e88792fPhishing emailDOCX/QRPhish.A.gen!Camelot
4a99caed3ed7f7223c93807a34feb2626ed2939e0324a0213cddb373edfc7fa3Phishing documentDOCX/QRPhish.A.gen!Camelot
w[.]oszojpl[.]cnURL from QR codeURL Category – Phishing & Fraud
http[:]//91267669bfa7bc1a6fb463df29ba4885[.]yubhn[.]click/Phishing Landing URLURL Category – Phishing & Fraud
e1a8412d691f4329e384d6310b74e113069ff73325f91fc0c8f1a093683db81cPhishing Landing pageHTML/QRPhish.A