In a surprising twist, cybercriminals are using old-school snail mail to launch modern cyber attacks. According to the Swiss National Cyber Security Centre (NCSC), attackers have been sending physical letters containing malicious QR codes to unsuspecting recipients. This novel approach highlights the evolving creativity of threat actors.
As reported by The Register, the NCSC warns Swiss citizens about a phishing campaign exploiting the postal service. The fraudulent letters, disguised as official communication from MeteoSwiss (the Swiss Federal Office of Meteorology and Climatology), contain QR codes that supposedly link to a weather warning app. However, these QR codes are designed to install malware on Android devices instead.
The fake app mimics Alertswiss, a legitimate application from the Swiss Federal Office for Civil Protection. Once downloaded, the malicious app, named "Coper" or "Octo2," steals sensitive data from installed apps, including banking applications, according to the NCSC.
“Delivering QR code letters physically via Switzerland’s postal service is an effective way for criminals to catch unsuspecting victims,” said Mike Britton, Chief Information Officer at Abnormal Security. By impersonating trusted sources, attackers exploit a lack of scepticism toward paper-based communication.
Britton added that QR code phishing is a relatively new method, meaning people aren’t as cautious about it as they are with email scams. This allows criminals to capitalize on recipients' trust and familiarity with QR codes, often used in everyday transactions.
Chris Fuller, Senior Director of Technical Operations at Obsidian Security, highlighted that the attack’s success lies in bypassing digital security measures. “This novel approach demonstrates how cybercriminals evolve their tactics to exploit emerging vulnerabilities,” Fuller said.
Javvad Malik, Security Awareness Advocate at KnowBe4, pointed out that many people don’t associate physical mail with cyber threats, which makes this tactic particularly effective. “Criminals are always finding new ways to manipulate people. This attack targets an overlooked vulnerability—our physical mailboxes,” Malik explained.
The cost associated with sending physical letters also signals high confidence in the campaign’s success. According to Malik, this could pave the way for similar scams to emerge worldwide.
Currently, these attacks are limited to Switzerland and target only Android users. Swiss iPhone users are unaffected, as the malware does not operate on iOS devices.
For victims who have scanned the malicious QR code and downloaded the app, the NCSC recommends performing a factory reset to completely remove the malware.
Javvad Malik advises vigilance: “It’s essential to scrutinize any communication containing QR codes, regardless of its source. Never install apps unless you are certain of their authenticity and source.”
Chris Fuller echoed the need for awareness, emphasizing the importance of ongoing user education. “Organizations must prioritize training users to identify new phishing tactics. A multi-layered defence strategy is critical, combining user education with advanced anti-phishing tools.”
While this attack is currently confined to Switzerland, its effectiveness could inspire similar tactics globally. The best defence remains consistent: ignore unsolicited QR codes and only download apps from verified, official app stores.
Cyber threats are ever-evolving, and this latest attack underscores the importance of staying one step ahead. Physical mailboxes, once considered safe from cybercrime, are now another front in the battle for cybersecurity. Stay alert and question anything suspicious—digital or physical.
