Hackers thrive in social engineering attacks through their ingenuity and ability to innovate. Their latest innovation is quishing or QR code phishing.
Quishing attacks deceive recipients into scanning a QR code that contains malicious content. Victims who scan a legitimate-looking QR code get redirected to a phishing website or download malware.
Hackers layer their malicious QR codes with obfuscation techniques such as encrypted attachments. They even have validations to prove the user is human, to trick unsuspecting users completely!
The ever-increasing incidents of quishing
After COVID-19, businesses started using QR codes to enable low-contact transactions. Digital wallets, restaurant menus, and several other content popularised QR codes. As users became accustomed to QR codes in daily life, instances of quishing also increased.
Quishing attacks are on the rise big-time of late. A ReliaQuest study compares the number of quishing incidents in 2023. The study reveals a 51% increase in quishing attacks in September 2023, compared to the cumulative figure between January and August 2023. Such a heightened threat is in addition to the otherwise fragile nature of email security.
Most quishing attacks target individual consumers. Lately, hackers have started targeting companies and their senior employees in a big way.
Cybercriminals launch quishing campaigns for financial fraud, distributing malware and credential theft. For enterprises, quishing scams compromise sensitive consumer data. They face reputation loss, reduced revenues due to fines, and likely loss of customers.
Why is quishing so deadly
Quishing is much more dangerous than conventional forms of phishing for several reasons:
For phishing emails to succeed, the email has to pass the spam filters first. Most email security filters do not have QR code detection or reading capabilities. These solutions can only inspect text, URLs, and attachments. QR codes are, in essence, images. The pixels that make up the QR code are meaningless by themselves. But when decoded, they resolve to a URL. Hackers using QR codes can bypass such email security gateways.
At the end-user level, QR codes force users to move from a desktop or laptop to mobile devices with weak anti-phishing protection. Secured corporate devices come with measures to warn, stop, or sandbox users when they access malicious links. Most people access QR codes through their personal devices with limited security posture.
Also, conventional email phishing requires getting the user’s attention to click on the email. There is now great awareness about conventional email phishing, and hackers cannot hoodwink users as before. But quishing is lesser known, and it is still easy to trick users into scanning a QR code. And hackers distribute QR codes with ease. They distribute QR codes in newspapers, magazines, and in public places through posters and flyers.
Quishing in action
Instances of quishing have been on the rise of late. Security researchers observe email-based quishing activity almost daily. A bulk of these attacks impersonate online banking pages. Unsuspecting users who scan the QR codes set up by the hackers get redirected to spoofed banking pages, and have their account details and access credentials stolen.
The Better Business Bureau (BBB) lists sticking fraudulent QR codes on parking meters as a common scam nowadays. When drivers try to pay for parking with these QR codes, the scammers get their financial credentials. Innovative cyber criminals even pose as utility workers or government officials with a QR code to collect fees.
The most widespread phishing attack in recent times involved Microsoft 2FA resets. Unsuspecting users receive a support ticket notification. This spoofed email asks recipients to reactivate their multi-factor authentication. Victims who scanned the accompanying QR code had to enter their Microsoft email addresses and passwords. The scam tricked even highly aware users, since the hackers spoofed the display name to include the name of the targeted MSP. They even embedded the Microsoft logo to give more credibility to their operation.
Another high-profile attack in 2022 involved a fake document in Chinese from the Chinese Ministry of Finance. The documents told the recipients they were eligible for a new government-funded subsidy. Availing the subsidy required scanning the accompanying QR code. The code redirected users to a site maintained by the hackers. The website collected their personal and financial information.
In another similar attack, users received an email from a parcel delivery service requesting payment via a QR code.
How to Protect Against Quishing
At the individual level, the best defence against quishing is to scan QR codes only from trusted sources. Users should also:
- Always verify the origin of QR codes appearing on physical materials. QR codes plastered in random places or out of context are usually quishing attempts.
- Look for signs of tampering, such as a hidden code underneath the QR code. Avoid scanning QR codes stuck over legitimate ones, especially on payment terminals or kiosks. Such attempts are almost always redirection scams.
- Be wary of QR codes that promise unbelievable deals, free stuff, or exclusive access. Also, avoid messages that pressurise the users with urgency.
- Use a trusted scanner app that previews URLs before opening them.
- Double-check if the address has misspelt words or strange domain names. If the QR code directs to a website.
At the enterprise level, basic filters such as allowlisting and blocklisting thwart most attacks. Multi-factor authentication and enforcing password hygiene offer an extra layer of security.
The IT team must also stay informed about quishing threats and train employees to recognise and avoid them.
Effective protection requires a robust security platform that improves the enterprise security posture. Many enterprises deploy many security applications for different types of threats. Soon, they end up with tool sprawl and the headache of dealing with multiple vendors. Also, fighting phishing with layered email configuration rules no longer works.
Best-in-breed platforms such as Cloudfare offer an integrated solution that takes the load off enterprise IT security teams. Cloudflare deploys a multifaceted approach to thwart quishing. Its native image analysis processing capabilities identify and resolve QR codes in real-time. The tool then assesses the resulting URLs against detection models to detect and block phishing attempts. The platform leverages its decade’s worth of detection data to develop proactive computer vision models that offer a turnkey solution against the latest quishing threats.