Quishing Alert: Experts Advise Caution Before Scanning QR Codes

Quick Response codes can be very convenient for traveling to websites, downloading apps, and viewing menus at restaurants, which is why they’ve become a vehicle for bad actors to steal credentials, infect mobile devices, and invade corporate systems.

“We are seeing an exponential uptick in targeted attacks against mobile devices, many of them phishing attacks,” observed Kern Smith, VP for Americas pre-sales at Zimperium, a mobile security company headquartered in Dallas.

“A large majority of phishing sites are targeted at mobile devices,” he told TechNewsWorld. “The reason attackers are doing that is they know mobile devices are most susceptible to phishing attacks.”

“QR phishing, or quishing, is a great attack vector for attackers because they can distribute a QR code widely, and a lot of corporate anti-phishing systems aren’t geared to scan QR codes, he said.

Reliaquest, a security automation, cloud security, and risk management company headquartered in Tampa, Fla., noted in a recent report that it saw a 51% rise in quishing attacks in September over the cumulative figure for the previous eight months.

“This spike is at least partially attributable to the increasing prevalence of smartphones having built-in QR code scanners or free scanning apps; users are often scanning codes without even a thought about their legitimacy,” it wrote.

Part of the Phishing Epidemic

Shyava Tripathi, a researcher in the Advanced Research Center of Trellix, maker of an extended detection and response platform in Milpitas, Calif., noted that phishing is responsible for over a third of all attacks and breaches.

“QR-code-based attacks aren’t new, but they’ve become increasingly prevalent in sophisticated campaigns targeting businesses and consumers, with Trellix detecting over 60,000 malicious QR code samples in Q3 alone,” she told TechNewsWorld.

Quishing is currently high on the agenda for many organizations, asserted Steve Jeffery, lead solutions engineer at Fortra, a global cybersecurity and automation company. “It represents a risk that can bypass existing security controls. Therefore, the protection relies on the recipient fully understanding the threat and not taking the bait,” he told TechNewsWorld.

Clicking on malicious URLs is still one of the top risks for account takeovers, he continued. He cited data from Fortra’s PhishLabs that showed in Q2 2023 that more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.

“Quishing is merely an extension of these phishing attacks,” he said. “Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack.”

Quishing for Credentials

Mike Britton, CISO of Abnormal Security, a global provider of email security services, agreed that quishing is a growing problem. He cited Abnormal data that found that 17% of all attacks that bypass spam and junk filters use QR codes.

He added that his company’s data also shows that credential phishing accounts for about 80% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

“Leveraging QR codes is an attractive attack tactic for malicious actors because the resulting destination that the QR code sends the recipient to can be difficult to detect,” Britton told TechNewsWorld.

“Unlike traditional email attacks,” he continued, “there is minimal text content and no obvious malicious URL. This significantly reduces the amount of signals available for traditional security tools to detect and analyze in order to catch an attack.”

“Because they can easily evade both human detection and detection by traditional security tools, QR code attacks tend to work better than more traditional attack types,” he said.

Embedded QR Threats

Randy Pargman, director for threat detection at Proofpoint, an enterprise security company in Sunnyvale, Calif., maintained that the number one reason malicious actors prefer QR codes over regular phishing URLs or attachments is because people who scan QR codes usually do so on their personal phone, which probably isn’t monitored by a security team.

“That makes it challenging for companies to know which employees interacted with phishing messages,” he told TechNewsWorld.

He explained that QR code phishing scams are challenging to detect because the phishing URL isn’t easy to extract and scan from the QR code. Adding to the problem, he continued, is that most benign email signatures contain logos, links to social media outlets embedded within images, and even QR codes pointing to legitimate websites.

“So the presence of a QR code itself isn’t a sure sign of phishing,” he said. “Many legitimate marketing campaigns use QR codes, which can allow malicious QR codes to blend into the background noise.”

Nicole Carignan, vice president for strategic cyber AI at Darktrace, a global cybersecurity AI company, added that the increased use of QR codes in phishing attacks is the latest example of how attackers are pivoting to embracing techniques that can thwart traditional defenses with greater agility and efficiency.

“Traditional solutions scan for malicious links in easy-to-find places,” she told TechNewsWorld. “In contrast, finding QR codes within emails and determining their appropriate destination requires rigorous image recognition techniques to mitigate risks.”

Best Practices for QR Code Safety

Carignan noted that Darktrace research has found that quishing attacks are often accompanied by highly personalized targeting and newly created sender domains, further decreasing the likelihood of the emails being detected by traditional email security solutions that rely on signatures and known-bad lists to detect malicious activity.

“The most common social engineering technique that accompanies malicious QR codes is the impersonation of internal IT teams, specifically emails claiming users need to update two-factor authentication configurations,” she said. “When setting up two-factor authentication, most instructions require users to scan a QR code. Thus, attackers are now mimicking this process to evade traditional secure email solutions.”

While there are many technology solutions aimed at addressing potential QR-code-based attacks, a simple rule may suffice for many individuals.

“When we talk to people about best practices around QR codes, one of the simplest rules you can follow is to ask yourself, is this QR code in a place where a bad person could post it?” advised Christopher Budd, leader of the X-Ops team at Sophos, a global network security and threat management company.

“If I’m walking through the food court in a mall, and there’s a sign that says, ‘Save 20% on all stores today. Scan this code.’ If I see that, I’m not going to use that QR code. I have no idea who put that sign there,” he told TechNewsWorld.

“When you’re talking about QR codes,” he added, “you have to know and trust its source.”