[SCAM ALERT 066] – Sparkasse

SCAM ALERT (12)

With 520 companies, 16,500 branches and almost 300,000 employees, Sparkasse’s high-quality range of products and services is a key factor in its success, being one of the major savings banks in Germany.

During our PreCrime internet scout of November 22nd 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Sparkasse.

The Attack

Legitimate site :
sparkasse[.]de

Malicious domains :
sparkasse[.]k-login[.]de
k-login[.]de

sparkasse1 sparkasse3
sparkasse2 sparkasse4

This attack shows a brand impersonation attack on the German bank financial group, Sparkasse (Sparkassen-Finanzgruppe) which is a network of public banks that together form the largest financial services groups in Germany.


How does this attack work ?

  • Users may be led to the malicious website through a phishing campaign, wherein they are asked to go to the website in order to verify their identity due a system overload. The threat actors will likely attempt to convince users that this is an urgent matter, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply.

  • When opening the webpage, users are asked to verify their identity due to usage restriction on the normal website as a result of system overload.

  • Users are then guided through a verification process where they are asked to first choose their affiliate bank, then enter their name and password, date of birth and phone number and finally their credit card number including the PIN code.

  • Once those steps are completed, users are informed that “Your data has been successfully received by us and the first step of the update is completed. We will now examine your data in detail and then a consultant will contact you by phone to complete the update.“

  • When clicking the final button “initiate forwarding“, users are redirected to the banks legitimate website.

How do they trick users into believing the attack is real ?

  • Brandsquatting: registered a domain name that is similar to the legitimate one, sparkasse[.]de

  • Using the same branding from Sparkasse including the same logo, colours and font.

  • The website has the same layout as the legitimate site, including links to Sparkasse’s other websites, however all links on the malicious page correspond to the following URL, sparkasse[.]k-login[.]de/#. The hashtag at the end of the URL is a fragment identifier which references a specific part of the current web page. This means that the link will not redirect the user to other websites as it should, but instead remain on the same web page, though perhaps at the top of the page.

Why is this a threat ?

If successful, this attack would provide threat actors with access to sensitive personal information about the user, including name and credit card number, allowing threat actors to take control of their bank account and steal their money. Corporations using Sparkasse would also be at risk of their internal network being compromised, if their credentials used at Sparkasse correspond to those they use for work.

Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks.

  • With 23.8 billion EUR in revenue in 2021, a cyber incident of Sparkasse could ultimately result in the loss of 95 million EUR.

  • Companies connected to Sparkasse could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.

  • If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.

Identification and threat analysis
Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.

Domain

sparkasse[.]k-login[.]de

sparkasse[.]de

Name Servers

N/A

ns1.s-fg-net.de

ns2.s-fg-net.dom

ns3.s-fg-net.eu

ns4.s-fg-net.de

MX record

N/A

mx1.heinlein-support.de

mx2.heinlein-support.de

mx3.heinlein-support.de

Last seen active

22 November

22 November

IP address

85.31.44.93

Brielle, Netherlands

AS211252 Delis LLC

ISP: Serverion LLC

146.112.61.108

San Francisco, United States

AS36692 Cisco OpenDNS, LLC

ISP: Cisco OpenDNS, LLC

185.85.1.81

Munich, Germany

AS20546 SOPRADO GmbH

ISP: MYRASEC

Domain age

1 day old

3,893 days old

Certificate

Issued to: sparkasse[.]k-login[.]de

Issued by: Let’s Encrypt

21-11-2022 → 19-02-2023

Valid for 3 months

Issued to: S-Com Services GmbH

Issued by: D-Trust GmbH

10-10-2022 → 30-05-2023

Valid for 8 months

VTsparkasse

 

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

  • Always double check the domain name to make sure it is the legitimate one

  • Never use the same credentials for work and personal accounts

  • Use different passwords for online banking and shopping sites, for example, so if one get’s compromised your other accounts will remain safe.

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.