Phishing attacks on savings banks and Volksbanks

top cybersecurity companies

Proofpoint researchers have uncovered a phishing campaign that is extremely dangerous for German customers. Since the end of August 2021, the security experts have been able to observe several large-scale campaigns in which fake websites (prepared landing pages) are used by cyber criminals to imitate large German banks, in particular the Volksbanken and Sparkassen. The criminal activity continues and continues to put hundreds of companies at risk.

The campaigns target various industries, especially German companies and employees of foreign organizations based in Germany. Each campaign contains tens of thousands of emails that put hundreds of businesses at risk.

The content of the phishing emails relates to account management information. The e-mails also contain links or QR codes that direct the potential victim to a geo-fenced website to intercept access data. Geo-fencing is a technique with the help of which the malware uses the IP address of the computer to determine in which country it is in operation. In this way, the criminal hackers can pretty much define in which countries the malware is activated and where it is not.

The information that the cybercriminals are after includes data on the respective branch of the bank, the user name and the PIN or password.

The campaigners used various web address redirection techniques to hide the real, dangerous links. In several of the campaigns observed, the criminals used compromised WordPress pages to redirect users to the phishing landing pages. Misuse of WordPress plugins and websites running WordPress software is a common technique that criminal hackers use to distribute dangerous links in the event of phishing and malware attacks. In addition, the security researchers observed that both URLs created using Google’s feedburner web management service and QR codes were used to redirect to the phishing pages.

The cyber criminals use geo-fencing techniques to ensure that only users in Germany are redirected to the phishing site. Proofpoint is assuming with a high degree of probability that the people behind them are using the IP address of the computer of the potential victim to determine the location. If the user is not in Germany, they will be redirected to a clone of a website that purports to provide tourist information about the Rheinturm in Düsseldorf. However, if the user is in Germany, he will be redirected to a website that simulates a legitimate bank website.

The user is asked to select the location of his bank branch and click on “Login” in order to get to the page for entering the access data for online banking, which simulates the legitimate bank website.

The cybercriminals host these sites on their own infrastructure that they control, using domain names that are similar to those of the impersonated websites. For example, the phishing URLs for Sparkasse access data often begin with “spk-“, while the Volksbank imitations begin with “vr-“. Below is an example of the domains used by the cyber criminals:

vr mail form[.]com / Q20EBD6QLJ

vr-conversion-system-de[.]com / FLBSEKZ9S3

spk-security-spk[.]com / P84OZ3OIS2

spk-system renewal-spk[.]com / CJ4F6UFR0T

The criminal actors typically use the domain registrar REG.RU, with the domains being hosted by AliCloud (Germany) GmbH. The first domains associated with this activity appeared at the end of August 2021. The perpetrators are constantly registering new domains in the identified URL structure and the campaigns continue.

So far, Proofpoint has not been able to find out which hacker group is behind these campaigns. However, the registration information associated with multiple domains that could be found through some of these activities has been linked to over 800 fraudulent websites, most of which are impersonating banks or financial services companies. The domain registration suggests that the perpetrators focused on users of Spanish banks earlier this year.

Cyber ​​criminals, associated with online banking credentials theft and fraudulent financial activity, tend to be opportunistic and attack large numbers of victims at the same time. Masses of emails are sent out in the hopes that some of the targeted people will fall for the scam.


Today’s threats target people, not technical infrastructure. This is why you need to take a people-centered approach to cybersecurity. This includes transparency at the user level with regard to vulnerabilities, attacks and authorizations as well as customized controls that take into account the individual user risk.

To reduce the risk of falling for this scam, Proofpoint recommends:

Train users to identify and report dangerous emails. Regular training and simulated attacks can prevent many attacks and help identify people who are particularly at risk. The best attack simulations imitate real attack techniques. Find solutions that are based on real attack trends and the latest threat intelligence.

At the same time, you should still assume that at some point the users will click on one of the dangerous e-mails or its content. Attackers will always find new ways to exploit human weaknesses.

Find a solution that detects and blocks dangerous email targeted at employees before they reach the recipient’s inbox.

Invest in a solution that covers the full spectrum of email threats, not just threats that already contain malicious code. Some threats, such as B. BEC (Business Email Compromise, also known as boss scam) and other forms of email fraud are difficult to detect with conventional security tools.

Your solution should analyze both external and internal emails, as attackers can use compromised accounts to trick users within the same company. Web isolation can be an important protection against unknown and dangerous URLs.

Leave a Reply

Your email address will not be published. Required fields are marked *