Imagine receiving an official-looking letter in the mail, urging you to scan a QR code to download a severe weather warning app to keep you informed about potential natural disasters. This scenario may seem like an ordinary move from public authorities to ensure public safety, but in Switzerland, it has taken a sinister turn. The National Cyber Security Centre (NCSC) has recently raised an alert about a new form of malware distribution utilizing the country’s postal service to spread malicious software. These fraudulent letters are designed to closely resemble official communications from the Federal Office of Meteorology and Climatology, complete with appropriate logos to build credibility.
The letters coax recipients into scanning a QR code to download a supposed “Severe Weather Warning App” for Android devices. However, this seemingly benign action leads users to a third-party site rather than the Google Play Store, where they end up downloading a fake version of the legitimate Alertswiss weather app, cleverly dubbed “AlertSwiss.” While it features only a subtle logo variation, the counterfeit app hides a dangerous trojan called Coper, initially identified in July 2021. Coper is particularly insidious, possessing capabilities to keylog, intercept two-factor authentication messages, and target banking apps to steal credentials and other sensitive data. Additionally, it can display phishing screens and communicate with command-and-control servers to execute further malicious instructions, making it a significant threat to users.
The Highly Targeted Nature of the Attack
The choice to send these fraudulent letters via postal service suggests a highly targeted spear-phishing strategy rather than a mass distribution campaign. The cost of sending such letters in Switzerland is approximately $1.35 each, indicating that the attackers are likely aiming at high-value targets. Switzerland’s significant wealth makes any successful attack extremely lucrative, even if fewer individuals are reached compared to traditional mass email phishing campaigns. By adding an air of legitimacy through the official-looking letters and inducing panic-driven actions from recipients, attackers hope to maximize their success rate despite the relatively high cost per letter.
QR code-related fraud is not a new phenomenon, having been around since the early 2010s. However, the use of postal services for such scams is unprecedented. Microsoft recently reported that over 15,000 malicious QR code messages are sent daily to the education sector alone, underscoring the ongoing relevance of QR-based scams. Despite the tactic’s perceived inefficiency, its potential payoff when targeting high-value individuals justifies its viability as an attack vector. This development highlights the ever-evolving creativity of cybercriminals in finding new ways to breach security measures.
Staying Vigilant in the Face of Sophisticated Phishing Tactics
Imagine getting a letter that looks official, urging you to scan a QR code to download an app meant to warn you about severe weather. This might initially seem like a standard move from public authorities aiming to keep you safe. However, in Switzerland, this has become a dangerous scam. The National Cyber Security Centre (NCSC) has issued a warning about new malware being spread through the postal service. These fake letters are designed to look like they come from the Federal Office of Meteorology and Climatology, complete with authentic-looking logos.
The letters encourage recipients to scan a QR code to download a “Severe Weather Warning App” for Android. But instead of taking you to the Google Play Store, the QR code directs you to a third-party site where you download a fake version of the official Alertswiss weather app, named “AlertSwiss.” This fake app includes a slyly altered logo and conceals a trojan called Coper, first discovered in July 2021. Coper can keylog, intercept two-factor authentication messages, and target banking apps to steal credentials. Additionally, it can display phishing screens and communicate with command-and-control servers to carry out further malicious activities, posing a considerable threat to users.
