Threat actors have been crafting QR Code based phishing attack, targeting US energy company since the month of may 2023.
In a widespread phishing campaign recorded, it is discovered that these hackers have been targeting numerous organizational sectors; with the major hit being the US energy sector. The attack which its primary aim, is to harvest numerous Microsoft account information belonging to employees of their targeted victims.
TTP (Tactics Technique & Procedures) which the attack is carried out:
The TTP in which the attack is carried out, involves the threat actor sending a malicious QR code, which has been embedded in a .png file extension images, or pdf documents. These files have the phishing link hidden in them, which is the primary aim of the attacker.
In an article written by Nathaniel Raymond a researcher at confense, it is discovered that the major target which is the US Energy company, saw over 29% of a total number of 1,000 emails containing the malicious QR-code.
Other top industries targeted and the percentage that saw the email, were the following:
- Manufacturing sector (Saw over 15% of the email).
- Insurance sector (Saw over 9% of the email).
- Technology (Saw over 7% of the email).
- Financial Services (Saw over 6% of the email)
In a snippet of the information disclosed by confense it was said that:
“Most phishing links were comprised of Bing redirects URLs, but notable domains include krxd[.]com (associated with salesforce application), cf-ipfs[.]com (Cloudflare Web3 services).”
It was recorded on a month-month basis; the average growth of the campaign is of a high number from 270% and above, and has increased by 2400% since the month of May 2023, it was noticed.
The US Energy Company QR campaign and how it was carried-out:
The US energy company which was a major hit by the attack, has its employees to have received the phishing emails, which contains .png file image attachment, capable of delivering Microsoft credentials phishing links or redirects via embedded QR codes.
It was noted that majority of the phishing links, were Bing URL redirects. The threat actors used techniques involving urgent messages such as updating email account security consisting of 2FA, MFA, and General account security.
It was discovered that the company saw over 29% of the email, and over 81% of the emails were discovered to be using Bing redirect URLs.
To read more about the campaign, and discovery visit confense
FixitgearwareSecurity advises general users either working for an organization or private owned sectors, to be conscious of how they open email and file attachments. While no one is unhackable, it is vital to be security minded and cautious, even when viewing emails from trusted allies or business partners, as their email might have been compromised and is being used by these threat actors.
Put your comments below in the comment section on your thoughts about this.