Email-based quishing attacks are on the rise, posing a significant threat to users, according to researchers. These attacks, also known as QR code phishing, involve manipulating users into scanning a QR code that directs them to a fraudulent website. The website may then download malware onto the user’s device or solicit sensitive information.
One particular quishing campaign has caught the attention of threat researchers for its large-scale and dynamic nature. The campaign utilizes varying lures and domains, indicating its long-running nature. Patrick Schläpfer, a malware analyst at HP, has been tracking this campaign and has noticed a series of suspicious emails with similar Word documents attached.
Upon closer investigation, Schläpfer and his team discovered that each document contained Chinese text and a QR code. The emails appeared to come from the Chinese Ministry of Finance but were actually sent by threat actors. The messages informed recipients that they were eligible to receive a new government-funded subsidy. To claim their payments, users were instructed to use their mobile devices to scan the QR code, which would redirect them to an application form where they could submit their personal and financial information.
Another similar attack uncovered by HP involved users receiving an email that appeared to come from a parcel delivery service. The email requested payment via a QR code, further highlighting the versatility of these quishing campaigns.
According to Schläpfer, the use of QR codes serves as a way to lead users from desktop or laptop devices, which typically have better antiphishing protections, to mobile devices that may have weaker defenses. While the discovered campaign focused on soliciting individuals’ financial information, threat actors could potentially use QR code phishing to distribute mobile malware or steal enterprise login credentials. Schläpfer stated that it is highly likely that QR phishing is happening on a wider scale using various methods.
Email security vendor Abnormal Security has also identified a quishing campaign that uses QR codes to bypass email security gateways, which typically scan text for URLs. The goal of this campaign was to steal users’ Microsoft login credentials.
The use of QR codes in quishing attacks has increased due to the growing popularity of QR codes for low-contact transactions during the COVID-19 pandemic. Legitimate organizations, such as restaurants, now utilize QR codes to provide online menus instead of physical copies. Additionally, digital wallets use QR codes for contactless payments. As users have become more familiar with interacting with QR codes, the opportunities for quishing attacks have expanded.
The Better Business Bureau (BBB) has warned consumers about a common scam that involves fraudulent QR codes on parking meters. These codes trick individuals into sharing their financial credentials when attempting to pay for parking. QR code scams can be encountered in emails, text messages, signage, direct mail, and even in person from criminals posing as utility workers or government employees.
While many quishing attacks have targeted individual consumers, enterprises and their employees are also at risk. Email-based QR phishing campaigns, similar to the ones discovered by HP and Abnormal Security, can target business accounts for credential theft or malware distribution.
To prevent quishing attacks, organizations should provide security awareness training that includes best practices such as not scanning QR codes from unfamiliar sources and confirming the legitimacy of a QR code via a separate medium. Users should also stay alert for phishing campaign red flags and carefully review the URL preview of a QR code before opening it. Good password hygiene, such as frequently changing email passwords and using unique passwords for each account, is also essential.
Organizations should consider implementing additional security controls to combat various types of phishing attacks. These measures can help mitigate the damage caused by successful attacks.