Don’t Scan or be Scammed
By Maharlito Aquino, Kervin Alintanahin and Dexter To
In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the barcode was to keep track of automotive parts manufactured by Denso Wave. Nowadays, QR codes are applied to a much broader context and are a commonly used to display text to mobile phone users, to connect to a wireless network, open a webpage on a mobile device, and more.
Back in 2021, we reported the resurgence of phishing attacks leveraging QR codes to deliver phishing URLs to customers of a German bank.
Today, we see a new phishing campaign targeting Chinese customers of a mobile payment service. The phishing emails masquerade as notifications of wage subsidies from the Ministry of Finance of the People’s Republic of China, urging recipients to apply immediately.
Figure 1. Phishing email containing a DOCX attachment (translated)
The email contains a DOCX attachment in the OpenXML document format; the attachment provides instructions on how to claim employment subsidies via a mobile payment service that is widely used in Southeast Asia. To ensure everyone’s safety, we have redacted parts of the QR code image in the screenshot below.
Figure 2. Contents of document containing a malicious QR code
Forward: Notice on the Ministry of Finance’s 2022 Personal Labor Subsidy Application Notice
Statement on the 2022 Fiscal Personal Labor Subsidy
- According to the joint issue of the Ministry of Finance, the State Administration of Taxation, the State Administration for Market Regulation, and the Administration for Industry and Commerce the “2022 Fiscal Labor Subsidy” is now underway.
- Wage subsidy, epidemic subsidy, social security subsidy, medical insurance subsidy, graduate subsidy, living subsidy for intermediate and senior technicians, seniority subsidy, transportation subsidy, medical insurance, unemployment insurance, maternity insurance, etc.
- There will be an additional subsidy in the bank account. After receiving the notification, please use your mobile phone to scan the following QR code for verification and collection.
The notice has been delivered to all units last week. If you have not completed the registration, please register as soon as possible. If it is not completed this week, it will be regarded as a waiver of the application!
Scan WeChat and follow the prompts to receive
[QR CODE]
Sponsor: General Office of the State Council Operation and maintenance unit: China Government Network Operation Center
Table 1. Translated body of the document
Once a recipient scans the QR code on a mobile device, their mobile browser opens a link with a .cn domain and is immediately redirected to a .click domain.
Figure 3. Landing page of the malicious QR code
2022 Subsidy Statement
- According to the joint issue issued by the Ministry of Finance, the State Administration of Taxation, the State Administration for Market Regulation, and the Administration for Industry and Commerce, the 2022 Subsidy is now available. Wage subsidies, epidemic subsidies, social security subsidies, medical insurance subsidies, graduate subsidies, living subsidies for middle and senior skilled workers, seniority subsidies, transportation subsidies, medical insurance, unemployment insurance, maternity insurance, etc.
- There will be an extra subsidy in the bank account. After receiving the notice, you must register to receive it within the same day. Overdue as a waiver
- Subsidy owners who have received the notification email, please follow the prompts to bind personal information for authentication and collection
Table 2. Translation of the landing page prompt
Clicking on the prompt loads the following phishing page.
Figure 4. Phishing page targeting China UnionPay QuickPass Users
Entering an invalid bank card number will result in a prompt that translates to “The bank card number you entered is incorrect!”
Figure 5. Error Prompt When Entering an Invalid Bank Card Number
When a valid bank card number is entered, the user is redirected to another page that requires additional information, which is commonly used to update banking information through customer support.
Figure 6. The Phishing Page Gathering User Account Info
This phishing site includes a lot of data validation, especially for the most important data, the bank card number.
It is also worth noting that when the link from the QR code is accessed from a desktop browser, the user is prompted to use a mobile phone to access the link, as shown below.
Figure 7. Error prompt clicking the QR code with a desktop browser
Indicators of compromise
| SHA256 or URL | Description | Cyren Detection |
| 4b77112e58e805c6d231a10d6f2a2c16f860457f296c8518f727e3423e88792f | Phishing email | DOCX/QRPhish.A.gen!Camelot |
| 4a99caed3ed7f7223c93807a34feb2626ed2939e0324a0213cddb373edfc7fa3 | Phishing document | DOCX/QRPhish.A.gen!Camelot |
| w[.]oszojpl[.]cn | URL from QR code | URL Category – Phishing & Fraud |
| http[:]//91267669bfa7bc1a6fb463df29ba4885[.]yubhn[.]click/ | Phishing Landing URL | URL Category – Phishing & Fraud |
| e1a8412d691f4329e384d6310b74e113069ff73325f91fc0c8f1a093683db81c | Phishing Landing page | HTML/QRPhish.A |