By REBECCA RUTHERFORD
For the Los Alamos Daily Post
So just to be clear, we have phishing – malicious emails, vishing – malicious phone calls, smishing – malicious text messages, and now … quishing??
Quishing, or using QR codes in a phishing email, is the latest trend among cybercriminals.
So what is QR code? According to Kaspersky, “A QR code is a type of barcode that can be read easily by a digital device and which stores information as a series of pixels in a square-shaped grid. QR codes are frequently used to track information about products in a supply chain and – because many smartphones have built-in QR readers – they are often used in marketing and advertising campaigns.”
QR codes look like this one, which if scanned with a smartphone will take the user to the Wikipedia article about QR codes:
You can see how this could be abused in the wild.
Quishing has been in the news lately. Recently we saw the biggest QR code phishing attack yet, targeting a “major” energy company, according to cybersecurity firm Cofense. Approximately one-third (29%) of the 1,000 emails linked to this campaign targeted a large US energy company, while the remaining were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who first reported this campaign, this is the first time QR codes have been used at this scale, indicating we can expect to see this trend expand and continue.
Cofense said this particular attack started with a phishing email claiming the user must “take action” to update their Microsoft O365 settings. These emails have .png or .pdf attachments with a QR code the victim is asked to scan to “verify” their account. The emails add a sense of urgency, noting that action must be completed within 2-3 days.
Quishing email samples from Cofense
The cybercriminals behind these campaigns use QR codes embedded in images to bypass email security tools that can scan a message for malicious links, effectively allowing the malicious messages to reach the victim’s inbox.
In another move to evade security, the QR codes in this campaign also use redirects in Bing, Salesforce, and Cloudflare’s Web3 services to redirect the victims to a Microsoft 365 themed phishing page. By obfuscating the redirection URL in the QR code as well as using base64 encoding for the phishing link, the cybercriminals are abusing legitimate services and evading detection to get through email protection filters.
Other twists on the scam seen recently include requests to “re-authenticate” a corporate password by scanning a QR code. Most legitimate businesses will not ask you to scan a QR code to authenticate anything.
While anything that can get through email security filters is bad, keep in mind this requires action from the user; to get scammed you have to scan the QR code and enter your info in the malicious site. A QR code can claim to be anything, but most smartphones will present the URL to you and ask to verify that you really want to go to the site.
Never scan a suspicious QR code, only scan QR codes from trusted, expected sources. As a general rule do not scan QR codes in emails, since this is an increasingly popular attack vector, likewise don’t scan any random QR codes you find in the wild; you could be in for a nasty trick as opposed to a treat.
Stay safe, be suspicious of QR codes in emails, and any suspicious unsolicited emails to “verify” an account or “re-authenticate” a password, especially if they have a QR code to scan.
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.
