{"id":10459,"date":"2025-07-22T12:34:29","date_gmt":"2025-07-22T05:34:29","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10459"},"modified":"2026-02-05T12:34:37","modified_gmt":"2026-02-05T05:34:37","slug":"chien-dich-lua-dao-scanception-loi-dung-ma-qr-trong-tep-pdf-de-phat-tan-ma-doc","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/22\/chien-dich-lua-dao-scanception-loi-dung-ma-qr-trong-tep-pdf-de-phat-tan-ma-doc\/","title":{"rendered":"Chi\u1ebfn d\u1ecbch l\u1eeba \u0111\u1ea3o Scanception l\u1ee3i d\u1ee5ng m\u00e3 QR trong t\u1ec7p PDF \u0111\u1ec3 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c"},"content":{"rendered":"

G\u1ea7n \u0111\u00e2y, nh\u00f3m nghi\u00ean c\u1ee9u Cyble Research & Intelligence Labs (CRIL) \u0111\u00e3 ph\u00e1t hi\u1ec7n m\u1ed9t chi\u1ebfn d\u1ecbch l\u1eeba \u0111\u1ea3o quy m\u00f4 to\u00e0n c\u1ea7u c\u00f3 t\u00ean Scanception, s\u1eed d\u1ee5ng c\u00e1c file PDF c\u00f3 g\u1eafn m\u00e3 QR \u0111\u1ec3 \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng qu\u00e9t m\u00e3 v\u00e0 t\u1eeb \u0111\u00f3 chi\u1ebfm quy\u1ec1n t\u00e0i kho\u1ea3n, k\u1ec3 c\u1ea3 khi \u0111\u00e3 b\u1eadt x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 (MFA).<\/b><\/p>\n

\"0a38ecf297a51efb47b4.jpg\"<\/a>\u200b<\/div>\n

Chi\u1ebfn d\u1ecbch Scanception ch\u01b0a \u0111\u01b0\u1ee3c quy v\u1ec1 m\u1ed9t nh\u00f3m c\u1ee5 th\u1ec3, nh\u01b0ng r\u00f5 r\u00e0ng l\u00e0 \u0111\u01b0\u1ee3c v\u1eadn h\u00e0nh b\u1edfi m\u1ed9t nh\u00f3m t\u1ed9i ph\u1ea1m m\u1ea1ng chuy\u00ean nghi\u1ec7p. H\u1ecd t\u1eadn d\u1ee5ng c\u00e1c email gi\u1ea3 m\u1ea1o k\u00e8m file PDF \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf r\u1ea5t gi\u1ed1ng t\u00e0i li\u1ec7u th\u1eadt, nh\u01b0: Th\u00f4ng b\u00e1o l\u01b0\u01a1ng, ch\u0103m s\u00f3c kh\u00e1ch h\u00e0ng, \u0111\u00e1nh gi\u00e1 d\u1ecbch v\u1ee5, nh\u1eadn \u01b0u \u0111\u00e3i, s\u1ed5 tay nh\u00e2n s\u1ef1 hay th\u00f4ng b\u00e1o n\u1ed9i b\u1ed9… M\u1ee5c ti\u00eau l\u00e0 l\u1eeba ng\u01b0\u1eddi nh\u1eadn qu\u00e9t m\u00e3 QR \u0111\u01b0\u1ee3c \u0111\u1eb7t kh\u00e9o l\u00e9o \u1edf cu\u1ed1i t\u00e0i li\u1ec7u.<\/p>\n

\u0110i\u1ec3m \u0111\u1ed9c \u0111\u00e1o v\u00e0 nguy hi\u1ec3m c\u1ee7a chi\u1ebfn d\u1ecbch n\u00e0y l\u00e0 t\u1ea5n c\u00f4ng di\u1ec5n ra ngo\u00e0i h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p. Khi ng\u01b0\u1eddi nh\u1eadn d\u00f9ng \u0111i\u1ec7n tho\u1ea1i c\u00e1 nh\u00e2n qu\u00e9t m\u00e3, h\u1ecd b\u1ecb chuy\u1ec3n h\u01b0\u1edbng t\u1edbi c\u00e1c trang web l\u1eeba \u0111\u1ea3o gi\u1ea3 danh Microsoft 365. C\u00e1c ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt m\u00e1y t\u00ednh, firewall, hay h\u1ec7 th\u1ed1ng ki\u1ec3m so\u00e1t email\u2026 ho\u00e0n to\u00e0n b\u1ecb \u201cv\u01b0\u1ee3t m\u1eb7t\u201d v\u00ec m\u00e3 \u0111\u1ed9c kh\u00f4ng th\u1ef1c thi tr\u00ean thi\u1ebft b\u1ecb l\u00e0m vi\u1ec7c.<\/p>\n

CRIL \u0111\u00e3 ph\u00e2n t\u00edch h\u01a1n 600 file PDF trong chi\u1ebfn d\u1ecbch n\u00e0y v\u00e0 th\u1ea5y r\u1eb1ng 80% kh\u00f4ng b\u1ecb ph\u00e1t hi\u1ec7n b\u1edfi b\u1ea5t k\u1ef3 c\u00f4ng c\u1ee5 antivirus n\u00e0o. M\u1ed7i m\u00e3 QR \u0111\u1ec1u d\u1eabn t\u1edbi m\u1ed9t chu\u1ed7i chuy\u1ec3n h\u01b0\u1edbng ph\u1ee9c t\u1ea1p, th\u01b0\u1eddng d\u1eabn c\u00e1c trang trung gian uy t\u00edn, quen thu\u1ed9c, nh\u01b0: Google, YouTube, Bing, Medium… tr\u01b0\u1edbc khi chuy\u1ec3n sang website l\u1eeba \u0111\u1ea3o v\u00e0 che gi\u1ea5u \u0111\u01b0\u1eddng d\u1eabn th\u1eadt.<\/p>\n

Khi ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp, m\u1ed9t t\u1ea5n c\u00f4ng ki\u1ec3u \u201ck\u1ebb \u1edf gi\u1eefa\u201d (Adversary-in-the-Middle – AITM) s\u1ebd ghi l\u1ea1i th\u00f4ng tin \u0111\u0103ng nh\u1eadp v\u00e0 c\u1ea3 m\u00e3 x\u00e1c th\u1ef1c MFA theo th\u1eddi gian th\u1ef1c. Hacker sau \u0111\u00f3 c\u00f3 th\u1ec3 chi\u1ebfm lu\u00f4n quy\u1ec1n truy c\u1eadp t\u00e0i kho\u1ea3n nh\u01b0 th\u1ec3 h\u1ecd l\u00e0 ng\u01b0\u1eddi d\u00f9ng th\u1eadt.<\/p>\n

Chi\u1ebfn d\u1ecbch Scanception \u0111\u00e3 lan t\u1edbi h\u01a1n 50 qu\u1ed1c gia, v\u1edbi m\u1ee5c ti\u00eau l\u00e0 c\u00e1c ng\u00e0nh ngh\u1ec1 quan tr\u1ecdng, nh\u01b0: C\u00f4ng ngh\u1ec7, t\u00e0i ch\u00ednh, y t\u1ebf v\u00e0 s\u1ea3n xu\u1ea5t. \u0110i\u1ec1u \u0111\u00e1ng s\u1ee3 l\u00e0 c\u00e1ch h\u1ecd \u201cc\u00e1 nh\u00e2n h\u00f3a\u201d n\u1ed9i dung email v\u00e0 t\u00e0i li\u1ec7u sao cho gi\u1ed1ng v\u1edbi m\u00f4i tr\u01b0\u1eddng l\u00e0m vi\u1ec7c c\u1ee7a t\u1eebng t\u1ed5 ch\u1ee9c, t\u0103ng kh\u1ea3 n\u0103ng ng\u01b0\u1eddi d\u00f9ng \u201cs\u1eadp b\u1eaby\u201d.<\/p>\n

Nhi\u1ec1u ng\u01b0\u1eddi v\u1eabn c\u00f3 t\u00e2m l\u00fd \u201cqu\u00e9t m\u00e3 QR cho nhanh\u201d, \u0111\u1eb7c bi\u1ec7t khi t\u00e0i li\u1ec7u nh\u00ecn r\u1ea5t gi\u1ed1ng th\u1eadt v\u00e0 y\u00eau c\u1ea7u \u201cqu\u00e9t \u0111\u1ec3 xem ph\u1ea7n ti\u1ebfp theo\u201d hay \u201cx\u00e1c nh\u1eadn th\u00f4ng tin\u201d. \u0110\u1ed3ng th\u1eddi, \u0111i\u1ec7n tho\u1ea1i c\u00e1 nh\u00e2n \u0111a ph\u1ea7n th\u01b0\u1eddng kh\u00f4ng \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 b\u1edfi c\u00e1c l\u1edbp ki\u1ec3m so\u00e1t b\u1ea3o m\u1eadt, khi\u1ebfn n\u00f3 tr\u1edf th\u00e0nh mi\u1ebfng m\u1ed3i b\u00e9o b\u1edf.<\/p>\n

Chi\u1ebfn d\u1ecbch Scanception l\u00e0 minh ch\u1ee9ng r\u00f5 r\u00e0ng r\u1eb1ng t\u1ed9i ph\u1ea1m m\u1ea1ng \u0111ang kh\u00f4ng ng\u1eebng ti\u1ebfn h\u00f3a v\u00e0 c\u00e1c ph\u01b0\u01a1ng ph\u00e1p b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng kh\u00f4ng c\u00f2n \u0111\u1ee7. Vi\u1ec7c tin v\u00e0o logo, \u0111\u1ecbnh d\u1ea1ng t\u00e0i li\u1ec7u hay c\u1ea3 m\u00e3 x\u00e1c th\u1ef1c MFA \u0111\u00e3 kh\u00f4ng c\u00f2n l\u00e0 “l\u00e1 ch\u1eafn an to\u00e0n”.<\/p>\n

Chi\u1ebfn d\u1ecbch “Scanception” khai th\u00e1c l\u1ed7 h\u1ed5ng trong nh\u1eadn th\u1ee9c ng\u01b0\u1eddi d\u00f9ng v\u00e0 ch\u00ednh thao t\u00e1c b\u1ecf l\u1ecdc email truy\u1ec1n th\u1ed1ng, \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng qu\u00e9t QR code trong c\u00e1c file PDF. K\u1ef9 thu\u1eadt tinh vi, bypass \u0111\u01b0\u1ee3c MFA, kh\u00f3 ph\u00e1t hi\u1ec7n v\u00e0 \u0111ang lan r\u1ed9ng to\u00e0n c\u1ea7u. C\u00e1c chuy\u00ean gia WhiteHat khuy\u1ebfn ngh\u1ecb:<\/p>\n