A phishing campaign in China targeting individuals with fake official documents from the Ministry of Human Resources and Social Security has been uncovered by Cyble Research and Intelligence Labs (CRIL).


The campaign distributes malicious Microsoft Word files via spam email attachments [1], prompting victims to scan a QR code that leads to a phishing site hosted on the subdomain “tiozl[. [1]]cn”. This phishing site requests personal information [2], credit card details [1], and passwords for unauthorized transactions [1]. The use of QR codes in phishing attacks has increased significantly, with the Hoxhunt Challenge reporting a 22% rise in such attacks [1], primarily aimed at stealing credentials [2]. To protect against QR code phishing [1], users are advised to only scan QR codes from trusted sources [1], check URLs carefully before proceeding [1], install antivirus and anti-phishing software [1], use two-factor authentication [1], keep software up to date with security patches [1], and review bank and credit card statements for unauthorized transactions [1]. The phishing campaign involves the distribution of Microsoft Word documents with embedded QR codes, masquerading as official notices from the Ministry of Human Resources and Social Security [1] [2]. These documents are designed to appear authentic [2], luring victims with promises of labor subsidies [2]. The phishing site then prompts users to provide personal information, national identification [2], and detailed banking card data under the guise of subsidy application requirements [2], ultimately leading to unauthorized transactions and financial losses [2]. The use of a domain generation algorithm (DGA) in the campaign generates random domain names to evade malware detection solutions [2], indicating a persistent threat targeting Chinese citizens [2]. The phishing process involves scanning the malicious Word document’s QR code [2], redirecting users to a phishing site that mimics official government platforms to collect confidential information [2]. The site prompts users to provide personal information [1] [2], national identification [2], and detailed banking card data under the guise of subsidy application requirements [2], leading to password requests for further verification [2]. The password requested is suspected to be the same as the national credit card payment password [2], enabling threat actors to conduct unauthorized transactions [2]. The rise in QR code phishing attacks underscores cybercriminals’ sophistication in exploiting widespread QR code usage [2], emphasizing the need for enhanced security measures to combat evolving threats [2].


The phishing campaign in China highlights the importance of vigilance and caution when interacting with QR codes and email attachments. Users must remain cautious, verify the authenticity of sources, and implement robust security measures to protect against evolving cyber threats.


[1] https://www.infosecurity-magazine.com/news/quishing-chinese-citizens-qr-code/
[2] https://www.ciberseguridadlatam.com/2024/06/19/ciudadanos-chinos-blanco-de-campana-de-phishing-basada-en-codigos-qr/