By Andy Swift, Cyber Security Assurance Technical Director at Six Degrees
Since they first appeared in the 1990s, quick response (QR) codes have rapidly become intertwined in our daily lives. Used today for everything from ordering food to paying for parking or undertaking virtual tours at a museum exhibition, QR codes make it convenient and easy to access digital information using a smartphone camera. However, just as with any other widespread technology, it’s no surprise that cybercriminals have now begun to exploit them.
News stories about members of the public who have been scammed when they scanned a malicious QR code in public spaces are becoming commonplace. However, this type of fraud is relatively small compared to the more targeted types of cyber fraud now being directed at UK businesses.
As cybercriminals hone and evolve their phishing tactics, they have begun sending out emails with phony QR codes designed to trick people into providing sensitive information or downloading malware. With these so-called quishing attacks on the rise, organisations will need to take steps to counter this sophisticated new attack trend.
What is ‘quishing’ and what is it being used for?
QR phishing, or quishing, works like a standard phishing attack except that the malicious link is hidden in a QR code rather than a ‘click through’ email link. When the recipient scans the QR code with their phone or a QR code reader, they are re-directed to a malicious website that may request sensitive information or download malware. The QR code links used in quishing attacks can also initiate actions on a smartphone, including the composition and distribution of phishing emails to the user’s contacts. All of this further compromises the victim and the organisation they work with.
As with phishing attacks, quishing attacks use social engineering tactics to establish a degree of trust while impressing the need for urgent action. An email could feature an urgent message stating that an employee will be unable to access their data or applications unless they scan and confirm their identity. Alternatively, printed leaflets and brochures featuring offers that can be accessed with a quick scan of a QR code can be sent through to an organisation for distribution or collection from the front desk.
What’s prompting scammers and hackers to use quishing?
Cybercriminals have become adept at exploiting everyday tools to convince employees to reveal confidential information or execute fraudulent transactions and this new attack strategy is fast gaining in popularity for a number of reasons.
Interpreted as harmless images, digital QR codes are sometimes capable of bypassing a number of basic email scanners and firewalls. Added to this, users will typically scan QR codes using their own personal devices which will lack the enterprise cyber security tools that can detect potential compromises.
Cybercriminals also don’t really need to write complex code to deliver a QR code link. In some instances, they can simply stick a fake QR code over an existing piece of physical content.
Finally, the general public is so used to using phones on a day to day basis, most will think nothing of using a phone to scan a QR code and then log into services without feeling the need to exercise caution; people seem to see a phone as a safety blanket when it comes to security, one which is somehow immune to traditional attack vectors.
A versatile attack method
Capable of being delivered via email, texts, WhatsApp messages, social media posts, and websites, as well as printed copy, the sheer versatility of QR codes is making them the attack vector of choice for a growing number of cybercriminals.
In recent months, attackers have become increasingly inventive and are now perpetrating quishing attacks via video conferencing apps. They are also using attacker-in-the-middle/impersonation token attacks in a bid to outmanoeuvre multi-factor authentication techniques.
Aware that general knowledge or awareness around quishing attacks means that few employees will be on their guard, attackers are keen to leverage people’s inherent trust in QR codes to swerve cyber security defences and perpetrate their malevolent activities.
Key mitigation steps
Personnel across the enterprise need to be alerted to this new threat, and organisations need to deliver education and training on what quishing is and the importance of treating QR codes with the same degree of suspicion and caution as dubious looking email links. They should also be informed of the risks they face outside work, whenever they scan a QR code in a public place. Using a scanning app to preview a QR code link before accessing it is an essential precautionary step that will help prevent malicious QR codes from automatically downloading malware when scanned.
Organisations should also review their email filtering, URL filtering, and endpoint protection to ensure it is up to date and is capable of blocking phishing emails with suspect QR codes before they reach a recipient. Should a user open a malicious link, endpoint protection should ensure that QR codes are prevented from launching a malware attack and virus scanners and checkers can be used to identify and remove active or dormant malware.
To mitigate the risk of physical codes sent in the post, ensure that processes are in place to support anyone responsible for opening mail to report and check any mail received containing QR codes. Digital mailrooms should also have systems in place to spot potentially malicious QR codes.
As cybercriminals adapt their methods, organisations should review and adjust their defence strategies and make sure they deliver security training that ensures everyone stays vigilant. Doing so will enhance the ability of the organisation to withstand quishing attacks and prevent cybercriminals gaining direct access into the company’s systems.
