QR Code Phishing (Quishing) Attacks: How to Spot & Prevent Them

The Rising Threat of QR Code-Driven Phishing Schemes

A new kind of cyberattack has emerged in recent years as a result of QR codes’ popularity as a quick and easy way to share information. Businesses are increasingly at risk from quishing, also known as QR code phishing. Phishing emails contain QR codes that hackers use to obtain private data.

Two-dimensional barcodes known as QR codes (Quick Response codes) have the ability to hold URLs, contact information, and other data. Usually, when a smartphone scans a QR code, a website opens or an activity like adding a contact or calling a number is carried out. The ability of QR codes to rapidly provide digital content has led to their widespread acceptance in a variety of industries, including marketing, banking, retail, and even government services.

However, the ease of use of QR codes has also drawn the attention of cybercriminals who exploit this technology to conduct phishing attacks. These attacks use QR codes to direct users to fraudulent websites, steal sensitive information, or install malicious software on their devices.

How QR Code Phishing Attacks Work

A QR code phishing attack generally follows a straightforward but effective method that takes advantage of users’ trust in QR codes and their ease of tampering.

Creation and Distribution of Malicious QR Code

The initial step in a QR code phishing attack involves creating of a harmful QR code. Cybercriminals commonly use QR code generators to design personalized codes that direct users to websites of their choice. These sites can resemble authentic platforms such as online banking portals, social media login pages, or e-commerce websites. To further deceive users, attackers might employ URL-shortening services to mask the true destination, making it harder for users to spot the malicious URL right away.

The next phase involves spreading the malicious QR code. Attackers can distribute the code through various channels, such as phishing emails, text messages, social media platforms, physical locations (like posters, flyers, or advertisements), or even fake websites.

The Malicious Website or Action

Once the user scans the QR code, they are directed to a fraudulent website designed to look like a legitimate platform. For example, a QR code phishing attack could lead to a fake banking login page, where the user is asked to enter their username, password, and other personal details. In other cases, attackers may create sites that trigger fear or urgency, such as counterfeit security alerts from banks or email providers.

The Exploitation of Sensitive Information

The attacker can exploit the victim’s information for a number of nefarious purposes after they have entered it on the phishing page. This could involve financial fraud, identity theft, illegal account access, or the dark web sale of the victim’s personal information. Until their accounts are accessed or their identity is taken, the victim may not even be aware that they have been the target of a phishing assault.
The stolen information may be used to target other members of the victim’s network or to send phishing messages to the victim’s contacts in an attempt to spread the attack.

Key Findings

  • We have detected a new trend of phishing emails containing QR codes embedded in PDF and XLSX files.
  • QR codes leading to phishing websites are now being placed in PDF and XLSX attachments, rather than being included directly in the email body.
  • These attacks aim to steal login credentials for malicious purposes.

Top 2 most-impersonated entities

  • Microsoft: The most common Microsoft impersonation involves informing the target that their multi-factor authentication or account is about to expire. The recipient is informed that they would lose access to their account if they don’t follow the attacker’s instructions to click a link or download a file.
  • Docusign: The recipient is frequently required to examine and sign documents in Docusign impersonations. Cybercriminals may pretend that the “document” is from a corporate administrator, or they may provide no information at all.

Graph of Quishing detected using pdf files

Over the past four months, we’ve noticed that about 25% of all phishing attacks include a QR code and a PDF file.

 

Fig.1 Quishing Graph

Campaign Targets

The campaign targets primarily business, but it can also be personal at times. During the final half of 2024, the percentage of targets for phishing attacks fluctuated between personal and organizational assets.

  • Organizational assets are the target of two-thirds of attacks.
  • 1/third target financial data and other personal assets.

In the majority of the samples examined, scammers pose as well-known businesses. In over half of all attacks, Microsoft, including SharePoint and OneDrive, is impersonated, followed by DocuSign and others.

Campaigns like Coper Trojan, CherryLoader, and Star Blizzard use QR codes embedded in fraudulent documents to steal personal and financial information and deliver malware.

Examples of Quishing Attacks

  1. This phishing email, which imitates DocuSign, prompts the recipient to review and sign documents by scanning a QR code in an attached PDF. Once scanned, it redirects to a counterfeit Microsoft page.

 

Fig.2 Example 1

 

 

Fig.3 Fake Microsoft page

 

  1. The recipients of this phishing email were told to scan the QR code to access the confidential document of Partnership Distribution. Once the code is scanned, they are redirected to a fake page and asked for a password before accessing the document.
Fig.4 Example 2

 

 

 

Fig.5 Fake Phishing page

 

 

  1. This phishing email, which pretends to be from DocuSign, instructs recipients to scan the QR code in an attached PDF to review a “Stock Agreement Distribution Agreement” document. After scanning, it redirects to a fake Microsoft page.
Fig.6 Example 3

 

 

Fig.7 Fake Microsoft page

The Dangers of QR Code Phishing

QR code phishing attacks can be extremely dangerous for several reasons:

  • Lack of Visibility: Unlike URLs in emails or messages, QR codes are not readable by humans, so users cannot easily check where the link leads. This makes it simpler for attackers to hide malicious websites and deceive users into accessing them
  • Increased Trust in QR Codes: QR codes are often perceived as a fast, efficient, and secure way to access information, leading people to trust them more than traditional links. This misplaced confidence makes QR code phishing particularly effective.
  • Speed of Execution: Scanning a QR code is typically quick and automatic, leaving little time for users to examine the link or make careful decisions. This rapid process appeals to attackers who aim to exploit users’ vulnerabilities swiftly.
  • Wide Distribution: QR codes can be easily shared across various platforms like social media, email, and in physical locations, enabling them to reach a large audience. A malicious QR code placed in a public area could be scanned by anyone passing by, expanding the reach of the attack.

Recognizing False QR Codes: Typical Indications

There are several indicators that can help you spot fake QR codes.

  • Suspicion may be aroused by QR codes discovered on unexpected objects, such as random packages, parking meters, or other common places.
  • Before scanning a QR code, always check it for spelling errors, bad language, or discrepancies with the company’s name or emblem.
  • A padlock icon in the address bar, signifying a secure connection, or a fast check of the URL associated with the QR code can reveal whether it reroutes to a bogus website.
  • Additionally, exercise caution if you get unsolicited QR codes by text or email. In an attempt to trick victims into disclosing personal information, scammers frequently use phishing messages to transmit phony QR codes.

MITER ATT&CK Tactics Observed

ATT&CK Tactic ATT&CK Technique
INITIAL ACCESS Phishing::Spear Phishing Attachment [T1566.001]
EXECUTION User Execution::Malicious Link [T1204.001]
CREDENTIAL ACCESS Input Capture::Web Portal Capture [T1056.003]
DEFENSE EVASION Impersonation [T1656]
COMMAND AND CONTROL Data Encoding: Standard Encoding [T1132.001]

How Seqrite Protect Against QR Code Phishing Attacks

Seqrite  offers a range of security measures to protect users from QR code phishing attacks. Here’s how they help:

  1. AntiFraud Phishing Protection: Seqrite’s retail part Quick Heal’s Antifraud app offers protection against QR code phishing by scanning QR codes before allowing users to visit the linked website. If the QR code leads to a suspicious or fraudulent site, the app will block access or alert the user.
  2. Real-time Threat Detection: Seqrite Endpoint Protection can detect malicious links or URLs embedded in QR codes. If a QR code leads to a suspicious or harmful website, Seqrite Endpoint Protection real-time scanning feature can block the website before it causes harm.
  3. Behavioural Detection: Seqrite EDR uses behavioural analysis to detect malicious activities on your device. This includes identifying suspicious apps or malware that could be installed by QR code redirects, ensuring early detection and prevention.
  4. Mobile Security: Seqrite Enterprise Mobility Management (EMM) offers protection for Android devices against malicious QR codes and phishing attempts. It scans QR codes for threats, blocks harmful apps, and offers browsing protection to keep users safe from phishing and malware.

By providing these layers of protection, Seqrite and Quick Heal helps users defend against QR code-based phishing threats.

The post QR Code Phishing (Quishing) Attacks: How to Spot & Prevent Them appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.