QR code Phishing, or “Quishing,” is a cyber threat that exploits the widespread use of QR (Quick Response) codes in phishing attacks.
Quishing takes advantage of the recent high-use volume and increasing popularity of QR codes. These codes, which can be easily scanned using smartphones, are commonly seen as innocent and have become a widely used tool for businesses and organizations to exchange information, facilitate payments , or guide users to websites. Exploiting this trust and familiarity is a common tactic in certain activities.
Scammers can utilize QR codes through various channels, such as emails, text messages, social media, public places, or even by directly approaching individuals to scan them.
The FBI has reported an increase in scammers instructing victims to utilize physical crypto ATMs and QR codes for payment transactions.
Fraudsters often manipulate victims into making payments and instruct them to withdraw funds from their financial accounts, including investment or retirement accounts.
The FBI cautions that a QR code linked to the scammer’s cryptocurrency wallet will be given to the victim for use in the transaction.
The fraudster will then guide the target to a physical cryptocurrency ATM where they can deposit their funds, buy cryptocurrency, and utilize the given QR code to fill in the recipient’s address automatically.
How Quishing Works
Generating a Malicious QR Code
Cybercriminals create QR codes that, when scanned, direct users to deceptive websites or initiate the download of harmful software.
The QR codes can be distributed through different channels, including emails, social media, printed materials, or by placing stickers over legitimate QR codes in public areas.
The Scam Process
Once someone scans the QR code, they are directed to a deceptive website that may appear legitimate. On this site, they are prompted to provide sensitive information such as login credentials, personal data, or financial details.
Malware may be downloaded in response to certain quishing attempts that lead to compromising devices and networks.
The attackers leveraged compromised email accounts to exploit the victim organization’s legitimate Outlook infrastructure for sending the QR codes. The phishing pages found after QR code scans were hosted through an enterprise survey service and linked to IP addresses associated with Google or Amazon.
What sets these messages apart is that they include QR codes that allow users to access missed voicemails. This cleverly avoids the need to scan URLs for email attachments, which secure email gateways and native security controls typically block.
Mostly, the QR code images were generated on the same day they were sent, which reduces the chances of them being flagged by a security blocklist due to prior reports. A total of six distinct profiles were utilized to transmit messages for the campaign, with the majority crafted to appear connected to the industry of interest.
Recent Quishing Attack
In the latest phishing campaigns, cybercriminals have started utilizing QR codes as an alternative to buttons to redirect victims to fraudulent websites.
These emails lack clear-text URLs and instead use QR codes to obfuscate them, which poses a challenge for security software to detect.
QR codes have become more effective by targeting mobile users, who may have less protection from internet security tools.
Upon reaching the phishing site, individuals are prompted to provide their bank location, code, user name, and PIN.
After inputting these details on the phishing page, the user patiently awaits validation, only to be prompted to re-enter their credentials because they were deemed incorrect.
This repetition is frequently used in phishing campaigns to prevent typos when users enter their credentials for the first time.
It is important to exercise caution when dealing with emails, even if they appear genuine. Refrain from clicking on any buttons, URLs, or QR codes that redirect you to external websites.
Before entering your account credentials, it’s important to verify the domain you’re on to ensure its authenticity.
You may have encountered them in various settings, such as restaurants, parking lots, and marketing campaigns. In 2022, the Federal Bureau of Investigation highlighted the issue of cybercriminals manipulating QR codes to illegally obtain victims’ financial funds.
In the past, QR Code phishing attacks were not very common. However, around mid-September 2023, Microsoft Security Research & Threat Intelligence noticed a notable rise in phishing attempts involving QR codes.
Recent incidents of quishing (QR code phishing) highlight the ever-changing strategies employed by cybercriminals and the growing importance of maintaining a high level of caution in digital security.
Quishing Attack Targets
Many of these phishing emails were specifically aimed at energy companies, while other sectors, such as manufacturing, insurance, technology, and financial services, were also subject to targeting.
The QR codes in these emails directed users to deceptive Microsoft 365 pages, often masquerading as security setting updates or multifactor authentication requests. This advanced method utilizes trusted domains and obfuscation techniques to avoid detection and effectively land in email inboxes.
One notable instance of a quishing attack involved deceptive emails that seemed to originate from credible sources, like the Chinese Ministry of Finance or a parcel delivery service.
These emails included documents with QR codes that, upon scanning, led users to deceptive websites to extract personal and financial data. This strategy successfully transferred the phishing attack from a desktop setting to mobile devices, potentially exploiting weaker anti-phishing defenses.
The adoption of QR codes in phishing campaigns reflects a calculated decision by attackers to take advantage of emerging platforms and changing user habits.
Implementing AI-powered email security solutions can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware, & Ransomware – Request Free Demo.
The Risks of Quishing
Personal and sensitive information is at risk of being stolen.
Financial Fraud: There is a risk of direct financial theft or fraud, particularly when providing payment information.
Malware Infection: Certain deceptive attempts can result in the downloading of malware, posing a threat to the security of devices and networks.
Trust Issues: The growing problem of quishing has resulted in a lack of trust in QR codes, which can significantly diminish their effectiveness for legitimate purposes.
Be cautious of sharing your login credentials, which can lead to unauthorized access to your personal or workplace accounts.
Organizational Risks Potential Security Breaches: If an employee becomes a target of a phishing attack, unauthorized individuals risk gaining access to the company’s networks and sensitive data.
Reputation Damage: If an organization becomes involved in a phishing attack, whether as a target or due to compromised systems, it could seriously damage its reputation.
Financial Losses: Apart from direct theft, businesses can incur financial losses due to the need for remediation, enhanced cybersecurity measures, and potential legal repercussions.
Addressing Cybersecurity Concerns Distribution of Malware: Quishing is a method that can be utilized to distribute malware, resulting in the compromise of devices and networks.
The widespread use of QR codes has significantly increased the potential for cybercriminals to exploit vulnerabilities, posing a greater challenge in maintaining comprehensive security measures.
Focusing on Vulnerable Populations: Individuals who are not as familiar with technology may be more vulnerable to phishing attempts, which puts them at a higher risk of being targeted.
Impact on Society Decline in Trust of QR Codes: Frequent quishing attacks can erode people’s trust in QR codes, making them less useful and less likely to be embraced.
Regular exposure to such tactics may cause users to become desensitized to suspicious activity, making them more vulnerable to other types of cyberattacks.
Potential Legal Ramifications for Organizations: Companies that do not adequately safeguard their data may face legal consequences, particularly under data protection regulations such as GDPR.
Compliance Challenges: Organizations must ensure their cybersecurity policies and practices are up-to-date to effectively combat evolving threats, which can require significant resources.
Effective Strategies and Recommended Approaches to Prevent QR Phishing
Increasing User Awareness: It is essential to inform users about the possible risks of QR codes. Users need to exercise caution when scanning QR codes from unfamiliar or untrustworthy sources.
Secure QR Code Generation: Generating QR codes securely and making them tamper-proof is crucial for organizations.
Verification of URLs: Checking the URL after scanning a QR code is recommended to confirm that it aligns with the intended destination.
Certain scanner apps that use secure QR code scanners have advanced security features that can effectively identify and flag any suspicious URLs that may pose a potential threat.
Implementing Multi-Factor Authentication (MFA): Adding a layer of security can be beneficial, particularly for platforms that phishers frequently target.
Consistent Monitoring: It is important for companies to consistently monitor their QR code campaigns to detect any signs of tampering or misuse.
Please exercise caution when sharing information after scanning a QR code: Before entering any personal information or data, it’s important to double-check the logo and the full URL of the page you are on when prompted to click on a link.
For enhanced security, it is advisable to manually enter the original URL into your browser rather than providing sensitive information through a link or QR code.