Attention: very well camouflaged Sparkasse phising mail on the subject of S-PushTAN on the go

Of course, this email did not come from the Sparkasse, but was sent by fraudsters who would like to get the Sparkasse access data.

When I get emails from banks, I usually assume it's spam or Phishing is. Hardly any bank still relies on e-mails when it comes to communicating with customers if you do not have direct e-mail contact with a specific employee.

Most of the time, I click through the phishing emails to see what the fraudsters are up to and whether laypeople can see that it is phishing. And unfortunately I have to say: the idiots who want to rip people off with this technology are getting better and better in their "business".

Subject: S-PushTAN app registration will expire soon

The mail that I supposedly received from the Sparkasse has the following wording:

Note: Your S-PushTAN app registration will expire soon

Dear customer,

Our customer documents show that your S-PushTAN app registration will expire soon. For security reasons, you have to update your S-pushTAN connection regularly. After the update, you can easily and securely receive your TANs again. Your S-PushTAN app will be blocked after March 01.03.2021st, XNUMX and you will have to carry out the registration process again.

How do I renew my S-PushTAN app registration?

Renew your S-PushTAN app immediately by scanning the QR code on the right with the camera of your smartphone. Then go through the steps and complete the registration.

[QR Code]

We trust that we have given you sufficient information.

Mit freundlichen Grüßen

Your savings bank

At first it sounds almost as if it could come from the Sparkasse. The QR code is also an effective means of making it easy for people to access complex URLs. For this reason, as a layperson, I would not suspect anything.

Of course, this email did not come from the Sparkasse, but was sent by fraudsters who would like to get the Sparkasse access data.

Of course, this email did not come from the Sparkasse, but was sent by fraudsters who would like to get the Sparkasse access data.

Why a QR code?

The first question I asked myself: Why can I find a QR code here and not just a link to click on?

Quite simply: The QR code is not resolved by virus scanners and mail providers and so they do not know that an Internet address of a "malicious" website is hidden behind it. Even if the website is blacklisted, it will not be recognized that it appears in the email, as there is no link in plain text.

The second good reason is that by scanning the QR code you can say very precisely that the majority of people will access the site with a smartphone.

As an attacker, you can shoot yourself into the fact that there is a high probability that you will be dealing with an iPhone or an Android device. And I strongly suspect that the Sparkasse phishing page is targeting Android users as a call with my iPhone 12 Pro Max only produced a charging icon. Nothing wanted to install there.

E-mail address, typographical errors and spelling as indicators of phishing mail

And although it was immediately clear to me that an email to my public info @ email address was certainly not coming from a real bank, the explanation in the email why I should now scan the QR code was convincing. I only noticed two spelling mistakes:

  • “Their” is written with a capital “I” when addressing them
  • “S-pushTAN connection” is of course written with a capital “V”

This is no longer as easy to recognize as a phishing mail, like the mails that you received years ago, in which all German umlauts were still in the bucket.

Another clear feature is the sender email address, which you can see with Apple Mail when you click on the email address. There is no e-mail address with @ sparkasse.de to be found here, which in turn is to be seen as an indication that someone else is the author.

The stored e-mail address can of course be changed to any e-mail, but the phishers made no effort and did not use any with the ending @ sparkasse.de.

The stored e-mail address can of course be changed to any e-mail, but the phishers made no effort and did not use any with the ending @ sparkasse.de.

The target page only allows you to enter the zip code

If you now call up the page that is hidden behind the QR code (you shouldn't do it!), You end up with a website that mimics the real Sparkasse website quite well. However, you can only enter a postcode and nothing else on the website. That should make you puzzled.

To see what the fraudsters did to prevent visitors from clicking on any links, I took a look at the source code and specifically picked out the links that are legally binding: Imprint and data protection.

In the source code you can see that the links are created as links, but only contain the link text and no target URL. They look like a link, but cannot be clicked. This saves the fraudsters the work of recreating the entire website with subpages.

Important links such as imprint, data protection, etc. cannot be accessed because they have been technically changed in such a way that they have no stored destination.

Important links such as imprint, data protection, etc. cannot be called up because they have been technically changed in such a way that they have no stored destination.

Sparkasse phishing email detected?

I hope that my little guide to recognizing the Sparkasse phishing mail will help you to unmask other "bad" mails as well. There are a few points that you have to pay attention to and then you will find the "weak point" in almost every one of these emails that distinguishes it from a serious email.

-
Do you like my blog? Then I would be happy to receive a short review on Google. Easy leave something here for a moment - that would be great, thank you!

 

Effectively for free: iPhone 13 Mini and iPhone 13 deals with top conditions at Otelo - Advertisement

12 comments

  1. Michael Bach says:

    Many Thanks! I had also received this email and was surprised because I had a REAL similar one last week. Didn't have time to look at it yet, who knows if I would have fallen for it! Maybe because I always "hover" the mouse over embedded links to see where this is going, and there aren't any here.
    Crazy, these fakes are getting better and better. Thanks again.

  2. Holger Wittich says:

    Hallo,
    i just fell for it and scanned the qr code.
    What now??

    • Jens Kleinholz says:

      Scanning the code and visiting the website is not critical. It only becomes risky when you start entering your bank details.

  3. Jesus Christ says:

    Partition from Catalina to High Sierra.

  4. Andrea Müller says:

    Hello, I also fell for it and scanned my hand with the Samsung and then entered my postcode on the "Sparkasse" page. Then, according to the information on the site, there should be a redirect. This failed, after some time a window opened with the content "The page cannot be accessed" or something like that.
    3 days later I get a letter from the Sparkasse that I have accessed online banking from a computer that is infected with a Trojan. How did they notice that? By entering the postcode or was my login details in someone else's hands and they only wanted to be led to banking by me? When I asked the Sparkasse about this, I got the answer that my login data had been viewed on a third-party server.
    My question is, is my phone infected with the trojan? Should I shut down my phone completely and put it back on again? Or is there a trojan scan program?
    PS The Sparkasse has now changed all data and I get a new account.

    • Jens Kleinholz says:

      Hello Andrea! Unfortunately, I am not familiar with Samsung / Android. But I would reset my phone and start over to be on the safe side. Under no circumstances can a Trojan be used on a smartphone. I don't know whether there is a virus scanner, but if you find a free program in the Google Store that pretends to be a virus scanner and then taps your data, you're even worse off than before. I wouldn't take any chances there.

  5. Ioana says:

    Hi Jens,

    The same thing just happened to my friend. Should you reset an iphone and start over or not necessary? Many Thanks!

    • Jens Kleinholz says:

      Hello Ioana! With me on the iPhone, the program apparently couldn't do anything. I don't think you have to reinstall anything. But, if he's careful and has a backup from the last few days, I would import it. Better safe than sorry.

  6. Anna Samson says:

    Hi Jens,
    Such emails are not only sent as Sparkasse sender. I have already received such from banks with which I do not have an account. If I then tap the sender address on the iPhone, I immediately see some imaginary address under Other. So I can block and delete this contact right away, which is then displayed to me in the mail folder on my Mac.

Leave a Comment

Your e-mail address will not be published. Required fields are marked with * .