Phishing, and the effects of falling for a fraudulent email scam, can be devastating for your company. Fraudulent emails (phishing), texts (smishing), and voice phishing (vishing) are incredibly successful in tricking users into responding or giving out information, sometimes even login credentials.
And now, we have quishing to worry about.
Quishing is a type of phishing attack that uses a QR (quick response) code the same way that links are used to disguise a malicious destination.
A QR code is a kind of two-dimensional barcode that holds encoded data in a graphical black and white pattern. The data a QR code stores can include URLs, email addresses, network details, Wi-Fi passwords, serial numbers, and more.
The term “quick response” refers to the purpose of a QR code being scanned in order to access data; this process happens very quickly. Legitimate QR codes are frequently sent through email, and because of this, malicious QR codes are often abused by those who use email as part of phishing cyberattacks.
While QR codes are generally safe, they can easily be manipulated by scammers. To the human eye, all QR codes look similar. But a malicious QR code can lead you to a spoofed website with malware, and can steal your sensitive data like passwords and credit card information.
Quishing Scam Examples
Generally, mobile devices aren’t as well protected as workstations on a company network. This makes using QR codes as an attack vector very advantageous, especially in BYOD environments.
Scammers often trick mobile device users into scanning QR codes that directing them to fake Microsoft 365 login portals to harvest their credentials. Those stolen credentials are then used to take over a user network account.
Very importantly, many current email security solutions do not screen QR codes in emails as they do website URLs. With QR codes, a URL isn’t exposed within the body of the email. This approach renders most email security scans ineffective.
Quishing Mitigation and Countermeasures
Preventing phishing attacks begins with in-depth defense.
The first layer of protection for any enterprise will likely be at its email server, which will have an internet connection.
Ensuring that your mail server is configured to filter unwanted emails, or an additional platform (like a spam gateway filter) being integrated into your information infrastructure, will serve this purpose. This won’t prevent all phishing emails, but it will strip away some unwanted traffic.
Secondly, awareness training for end users is imperative. End users should be trained to detect phishing emails and to interact with all email with a healthy degree of skepticism.
Phishing emails are designed to capture the attention of a prospective victim, and there are many common themes that attempt to do this:
- A reference to an invoice (with an attachment).
- A request for personal information.
- A report of “suspicious activity” or login attempts on an account the victim may have.
- A reference to a payment (especially a late payment), with links provided to pay.
- A coupon or discount on products or services that the victim may be interested in.
- A government refund.
Other indicators of a potential phishing attempt include a suspicious sender’s address, generic greetings, spoofed links, improper grammar and spelling, and suspicious attachments.
The third layer of protection is multi-factor authentication; it’s essential. This will protect against stolen credentials, which can be the initial purpose of a phishing attack.
MFA will not, however, prevent malware from being dropped on a victim’s system.
These tips should be added to user safe email handling training:
- Do not scan randomly found QR codes.
- Be suspicious if a site scanned from a QR code asks for a password or other login info.
- Do not scan QR codes received in emails or text messages unless you know they are legitimate. Call the sender to confirm.
Some scammers are physically pasting bogus codes over legitimate ones. If it looks as thought a code as been tampered with, do not use it. The same caution applies to legitimate ads that you pick up or get in the mail.
How to Analyze Reported Quishing
If you’re part of a security team or working as a security analyst and receive a report from an employee in your company about a suspicious email containing a QR code, it’s imperative to approach the situation with caution. Directly scanning the QR code with your phone is not advisable, due to the unknown and potentially harmful URL it may contain.
Nevertheless, as a security analyst, it’s crucial to delve deeper to comprehend the attack’s nature, aiming to prevent future similar attacks and possibly hunt for successful attacks within the organization.
To achieve this, it’s essential to analyze where the QR code redirects to, ensuring to do so securely.
Here are two steps you can take to investigate a potential quishing attack:
- Extract images from the reported email.
- Ensure you download all images separately from the reported email. This includes those embedded within attached PDF files or forwarded .eml or .msg files, especially if the email has been forwarded to you.
- Safely scan images for QR codes and extract URLs.
- Scan all images for QR codes by using a 3rd party QR code scanning service, such as qrcoderaptor.com, extracting the corresponding URLs without directly following the link. This prevents unintended exposure to malicious content.
