Technical Analysis of Spear Phishing Scams Using Leaked QQ ClientKey
Recently,there have been instances of corporate financial personnel being defrauded in QQ group chats.The primary method employed by the criminals involves illegally obtaining QQ login permissions to gain control over user group operations.They then add the compromised account to a pre-set"work"group and wait for the account owner to log in.Upon logging in,the victim would find familiar contacts,such as his boss,in the pre-set group and receive instructions to transfer funds,ultimately resulting in fraud.Through our investigation and analysis of a real case,we discovered that these types of scams are spear-phishing attacks executed through the leakage of QQ account ClientKey information,supported by a corresponding QQ gray industry.This paper,using the evolution of QQ gray market as a backdrop,provides a detailed analysis of the complete technical architecture of this gray market.It presents methods for inspecting trojans that steal account information and mirrored servers,including ways to bypass the challenges posed by disguised source code settings in mirrored server images,and summarizes key evidence points.Lastly,through local co-debugging,we verified the coupling of the account-stealing trojans and mirrored servers,while also highlighting the security risks inherent in the current QQ fast login feature to a certain extent.
国家科技期刊平台
NSTL
万方数据
