Don't Fall for It: Defending Against Qishing Scams

Scan at Your Own Risk: QR Code as a Threat

QR codes that re-emerged into our lives during the COVID-19 pandemic have given rise to a new wave of advanced phishing attacks targeting thousands of organizations worldwide. These evasive threats also known as quishing (QR phishing), lure end users into scanning a QR code sent to them via email using their mobile device camera, redirecting them to malicious websites aiming to steal their login credentials, harvest financial information, or infect their devices with malware.

The Quishing Quandary: Phishing Evolved

In 2019, receiving an email containing a QR code would have likely raised some eyebrows, appearing strange and suspicious to the recipient. Fast forward to the year 2023, and the situation has dramatically changed. The widespread adoption of QR codes for everything from viewing restaurant menus to online payments and public transport apps has conditioned many of us to respond almost instinctively. The sight of a QR code in an email or text message acts like a “Pavlovian cue,” prompting us to unthinkingly reach for our phones, ready to scan.

This shift in human behavior was noticed by threat actors, who are now capitalizing on the “conditioned” trust in QR codes to launch increasingly sophisticated phishing attacks. Despite the fact that the core principles of phishing remain largely unchanged, quishing makes the threat more complex and much harder to detect. By hiding the malicious link behind a QR code, threat actors force the victims to move from a laptop or a desktop to their mobile devices, which in most cases have much weaker cyber defenses.

Quishing utilizes another psychological maneuver that greatly benefits the attackers and increases their success rates. Quishing moves the “playground” onto a mobile phone where the victims are primed for additional steps that involve their personal device. With the phone in their hands, the cognitive journey users must take for going through Multi-Factor Authentication (MFA) is significantly shorter, and the chances of the user inserting SMS verification codes, tapping a prompt on the screen or using biometric authentication (facial recognition or fingerprint scanning) are much higher.

Undetectable? The Deceptive Simplicity of Malicious QR Codes in Emails

Quick Response (QR) codes are essentially a graphical representation of data, mostly used to encode URLs, the process of converting a link into a QR code takes seconds and can be easily done by anybody with online access (there are hundreds of free QR generators available).

When a malicious URL is hidden behind a QR code, the link becomes an image file, not a clickable element. Traditional email security systems like secure email gateways (SEGs) and even the most modern email security solutions scan for suspicious links in the email body of the message to prevent phishing attacks (relying on domain reputation and other indicators), but may overlook embedded URLs within images or file attachments. Most security solutions are unable to extract and dynamically scan links from QR codes.

Quishing campaigns present a unique challenge to defenders. By embedding the phishing link within a QR code, the threat is effectively concealed, rendering security measures ineffective and allowing malicious emails to slip through and reach the inbox of targeted end users.

In addition to the technicalities involving the malicious URL delivery, threat actors often craft their QR codes, the look and feel of the email, and the associated phishing site to impersonate known and trusted brands. It is very common to see logos and domain names that mimic Microsoft or Google in quishing campaigns. Social engineering techniques also play a major role in quishing where cybercriminals employ scare tactics and incite urgency (“your password is about to expire”) to encourage the users to scan the QR code without questioning its legitimacy.

Quishing Impossible: a Look at Examples From the Wild

Perception Point’s security research team has observed a substantial increase in quishing campaigns over the last few months with 90% of the attacks targeting end users that operate within Microsoft 365 email environment. Let’s review 2 examples caught by Perception Point to better understand the modus operandi of threat actors that employ QR code attacks.

Quishing 1: QR Code Embedded Within the Email Body as an Image

Email subject: <COMPANY NAME>, Multi-Factor Auth
Sender display name: <COMPANY NAME> 2FA Security <noreply@COMPANY DOMAIN>

In this particular quishing campaign sent to multiple targets within many organizations, the threat actors impersonate Microsoft 365 and alert the end user about their “network password” that has expired. The message encourages the recipient to scan the QR code using their mobile camera for “connecting” MFA method to their Microsoft account. The sender’s name and email subjects were altered to fit the target company.

The text, logos and the QR code are actually a single image and the email body contains no textual data at all.

End users that would have fallen for the quishing scam and actually scan the code would have been presented with a Microsoft look-alike page that automatically redirects them to a fake login page aimed to steal their account credentials.

Quishing 2: QR Code Inside a PDF attachment

Email subject: <COMPANY NAME> 2FA Salary Report For <TARGET NAME> Completed August 22, 2023
Sender display name: Payroll UPDATE
File attachment name: 2FA <TARGET NAME> Salary Authenticator August 22, 2023.pdf

Here we have another quishing sample where the malicious QR code is hidden inside an attachment to the email – a PDF file. The social engineering behind this campaign revolves around the financial motivation of the targets. The email subject, sender’s name and the PDF file attached all indicate a vague requirement to complete some sort of Two-Factor authentication (2FA) regarding the target’s salary.

Preventing Quishing Starts with Actual Prevention

In the battle against quishing, many email security vendors tend to “beat around the bush,” offering insights and best practices that, while valuable, do not directly address the core issue of quishing, and assume that malicious QRs reaching the user’s inbox is inevitable. Common recommendations include security training for employees, Multi-Factor Authentication (MFA), and URL inspection.

Security Training: Human error remains a significant risk factor. Educating employees about the risks of quishing and how they can recognize potential threat indicators (“hey, don’t scan QR codes from emails”) is essential.

Multi-Factor Authentication: MFA adds an extra layer of security.

URL Inspection and Sender Anomaly: Traditional URL filters do not extract URLs hidden within QR codes, especially if they are embedded in images. Detecting anomalies is a good method but what if the malicious QR code is sent from a perfectly legitimate source? (e.g external account takeover).

With all the network defenses that organizations have in place, including firewall and web address filtering, qishing is still able to get through.

Sigler noted that most security controls around phishing attacks, such as secure email gateways and mail server antivirus scans, occur before the email lands in a victim’s inbox. As such, if a user clicks on or scans a malicious URL, it may already be too late to prevent compromise.

“While network URL filtering and antimalware will help with known malware and malicious web servers, it doesn’t help in many of these cases [of qishing]; for instance, where the user is directed to provide credentials to an attacker,” Sigler said.

So what should users do? For one, Sigler suggests that organizations be wary of QR codes in certain situations.

“I can’t think of a single valid reason a QR code should be embedded into an email outside of potentially an email signature,” Sigler said. “If you see a QR code in an email, do not scan it. This is especially true for emails where the sender is specifically asking you to scan the code.”