With 520 companies, 16,500 branches and almost 300,000 employees, Sparkasse's high-quality range of products and services is a key factor in its success, being one of the major savings banks in Germany.

During our PreCrime internet scout of November 22nd 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting customers of Sparkasse.


The Attack

Legitimate site :
sparkasse[.]de

Malicious domains :
sparkasse[.]k-login[.]de
k-login[.]de

This attack shows a brand impersonation attack on the German bank financial group, Sparkasse (Sparkassen-Finanzgruppe) which is a network of public banks that together form the largest financial services groups in Germany.

How does this attack work ?

• Users may be led to the malicious website through a phishing campaign, wherein they are asked to go to the website in order to verify their identity due a system overload. The threat actors will likely attempt to convince users that this is an urgent matter, a tactic often used to make victims feel a sense of urgency and thereby more likely to comply.

• When opening the webpage, users are asked to verify their identity due to usage restriction on the normal website as a result of system overload.

• Users are then guided through a verification process where they are asked to first choose their affiliate bank, then enter their name and password, date of birth and phone number and finally their credit card number including the PIN code.

• Once those steps are completed, users are informed that “Your data has been successfully received by us and the first step of the update is completed. We will now examine your data in detail and then a consultant will contact you by phone to complete the update.“

• When clicking the final button “initiate forwarding“, users are redirected to the banks legitimate website.

How do they trick users into believing the attack is real ?

• Brandsquatting: registered a domain name that is similar to the legitimate one, sparkasse[.]de

• Using the same branding from Sparkasse including the same logo, colours and font.

• The website has the same layout as the legitimate site, including links to Sparkasse’s other websites, however all links on the malicious page correspond to the following URL, sparkasse[.]k-login[.]de/#. The hashtag at the end of the URL is a fragment identifier which references a specific part of the current web page. This means that the link will not redirect the user to other websites as it should, but instead remain on the same web page, though perhaps at the top of the page.

If successful, this attack would provide threat actors with access to sensitive personal information about the user, including name and credit card number, allowing threat actors to take control of their bank account and steal their money. Corporations using Sparkasse would also be at risk of their internal network being compromised, if their credentials used at Sparkasse correspond to those they use for work.

Domain brand impersonation does not just lead to theft of sensitive personal information, but could also result in malware infection for both private consumers and global corporations depending on the target and end goal of the threat actor. This occurs when stolen credentials are sold on the dark web, giving other threat actors the ability to conduct further attacks against the user(s) such as ransomware attacks.

• With 23.8 billion EUR in revenue in 2021, a cyber incident of Sparkasse could ultimately result in the loss of 95 million EUR.

• Companies connected to Sparkasse could run the risk of a data breach which as of 2022 could result in the loss of around 4,35 million USD.

• If individual consumers were to become a victim of this attempt to gain their personal information over the internet, they could lose between 2-3 thousand USD.

Identification and threat analysis

Technical Report

The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.

Domain	sparkasse[.]k-login[.]de	sparkasse[.]de
Name Servers	N/A	ns1.s-fg-net.de ns2.s-fg-net.dom ns3.s-fg-net.eu ns4.s-fg-net.de
MX record	N/A	mx1.heinlein-support.de mx2.heinlein-support.de mx3.heinlein-support.de
Last seen active	22 November	22 November
IP address	85.31.44.93 Brielle, Netherlands AS211252 Delis LLC ISP: Serverion LLC   146.112.61.108 San Francisco, United States AS36692 Cisco OpenDNS, LLC ISP: Cisco OpenDNS, LLC	185.85.1.81 Munich, Germany AS20546 SOPRADO GmbH ISP: MYRASEC
Domain age	1 day old	3,893 days old
Certificate	Issued to: sparkasse[.]k-login[.]de Issued by: Let's Encrypt 21-11-2022 → 19-02-2023 Valid for 3 months	Issued to: S-Com Services GmbH Issued by: D-Trust GmbH 10-10-2022 → 30-05-2023 Valid for 8 months

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

• If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.

• Always double check the domain name to make sure it is the legitimate one

• Never use the same credentials for work and personal accounts

• Use different passwords for online banking and shopping sites, for example, so if one get’s compromised your other accounts will remain safe.

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.