Phishing, and the effects of falling for a fraudulent email scam, can be devastating for
your company. Fraudulent emails (phishing), texts (smishing), and voice phishing
(vishing) are incredibly successful in tricking users into responding or giving out
information, sometimes even login credentials.
And now, we have quishing to worry about.
Quishing is a type of phishing attack that uses a QR (quick response) code the same way
that links are used to disguise a malicious destination.
A QR code is a kind of two-dimensional barcode that holds encoded data in a graphical
black and white pattern. The data a QR code stores can include URLs, email addresses,
network details, Wi-Fi passwords, serial numbers, and more.[1]
The term "quick response" refers to the purpose of a QR code being scanned in order to
access data; this process happens very quickly. Legitimate QR codes are frequently sent
through email, and because of this, malicious QR codes are often abused by those who
use email as part of phishing cyberattacks.
While QR codes are generally safe, they can easily be manipulated by scammers. To the
human eye, all QR codes look similar. But a malicious QR code can lead you to a spoofed
website with malware, and can steal your sensitive data like passwords and credit card
information.
Quishing Scam Examples
Generally, mobile devices aren't as well protected as workstations on a company
network. This makes using QR codes as an attack vector very advantageous, especially in
BYOD environments.
Scammers often trick mobile device users into scanning QR codes that directing them to
fake Microsoft 365 login portals to harvest their credentials. Those stolen credentials
are then used to take over a user network account.
Very importantly, many current email security solutions do not screen QR codes in
emails as they do website URLs. With QR codes, a URL isn't exposed within the body of
the email. This approach renders most email security scans ineffective.
Quishing Mitigation and Countermeasures
Preventing phishing attacks begins with in-depth defense.
The first layer of protection for any enterprise will likely be at its email server, which will
have an internet connection.
Ensuring that your mail server is configured to filter unwanted emails, or an additional platform (like a spam gateway filter) being integrated into your information infrastructure, will serve this purpose.[2] This won't prevent all phishing emails, but it will strip away some unwanted traffic.
Secondly, awareness training for end users is imperative. End users should be trained to
detect phishing emails and to interact with all email with a healthy degree of skepticism.
Phishing emails are designed to capture the attention of a prospective victim, and there
are many common themes that attempt to do this:
A reference to an invoice (with an attachment).
A request for personal information.
A report of "suspicious activity" or login attempts on an account the victim may have.
A reference to a payment (especially a late payment), with links provided to pay.
A coupon or discount on products or services that the victim may be interested in.
A government refund.
Other indicators of a potential phishing attempt include a suspicious sender's address,
generic greetings, spoofed links, improper grammar and spelling, and suspicious
attachments.
The third layer of protection is multi-factor authentication; it's essential. This will
protect against stolen credentials, which can be the initial purpose of a phishing attack.
MFA will not, however, prevent malware from being dropped on a victim's system.[2]
These tips should be added to user safe email handling training:
Do not scan randomly found QR codes.
Be suspicious if a site scanned from a QR code asks for a password or other login info.
Do not scan QR codes received in emails or text messages unless you know they are legitimate. Call the sender to confirm.
Some scammers are physically pasting bogus codes over legitimate ones. If it looks as
thought a code as been tampered with, do not use it. The same caution applies to
legitimate ads that you pick up or get in the mail.
How to Analyze Reported Quishing
If you're part of a security team or working as a security analyst and receive a report
from an employee in your company about a suspicious email containing a QR code, it's
imperative to approach the situation with caution. Directly scanning the QR code with
your phone is not advisable, due to the unknown and potentially harmful URL it may
contain.
Nevertheless, as a security analyst, it's crucial to delve deeper to comprehend the
attack's nature, aiming to prevent future similar attacks and possibly hunt for successful
attacks within the organization.
To achieve this, it's essential to analyze where the QR code redirects to, ensuring to do so securely.
Here are two steps you can take to investigate a potential quishing attack:
Extract images from the reported email.[3]
Ensure you download all images separately from the reported email. This includes those embedded within attached PDF files or forwarded .eml or .msg files, especially if the email has been forwarded to you.
Safely scan images for QR codes and extract URLs.[3]
Scan all images for QR codes by using a 3rd party QR code scanning service, such as qrcoderaptor.com, extracting the corresponding URLs without directly following the link. This prevents unintended exposure to malicious content.
References
“QR codes used to phish for Microsoft credenti…” Malwarebytes. 21 August 2023
“Quishing Triage 101: How to Investigate Suspicious Q…” Intezer. 4 October 2023
"QR Code-Based Phishing (Quishing) as a Threat to the…” HHS. 23 October 2023
“Explained: Quishing” Malwarebytes. 13 October 2023