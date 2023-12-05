Cybersecurity

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

Quishing Alert: Experts Advise Caution Before Scanning QR Codes

scanning a QR code on a smartphone

Quick Response codes can be very convenient for traveling to websites, downloading apps, and viewing menus at restaurants, which is why they’ve become a vehicle for bad actors to steal credentials, infect mobile devices, and invade corporate systems.

“We are seeing an exponential uptick in targeted attacks against mobile devices, many of them phishing attacks,” observed Kern Smith, VP for Americas pre-sales at Zimperium, a mobile security company headquartered in Dallas.

“A large majority of phishing sites are targeted at mobile devices,” he told TechNewsWorld. “The reason attackers are doing that is they know mobile devices are most susceptible to phishing attacks.”

“QR phishing, or quishing, is a great attack vector for attackers because they can distribute a QR code widely, and a lot of corporate anti-phishing systems aren’t geared to scan QR codes, he said.

Reliaquest, a security automation, cloud security, and risk management company headquartered in Tampa, Fla., noted in a recent report that it saw a 51% rise in quishing attacks in September over the cumulative figure for the previous eight months.

“This spike is at least partially attributable to the increasing prevalence of smartphones having built-in QR code scanners or free scanning apps; users are often scanning codes without even a thought about their legitimacy,” it wrote.

Part of the Phishing Epidemic

Shyava Tripathi, a researcher in the Advanced Research Center of Trellix, maker of an extended detection and response platform in Milpitas, Calif., noted that phishing is responsible for over a third of all attacks and breaches.

“QR-code-based attacks aren’t new, but they’ve become increasingly prevalent in sophisticated campaigns targeting businesses and consumers, with Trellix detecting over 60,000 malicious QR code samples in Q3 alone,” she told TechNewsWorld.

Quishing is currently high on the agenda for many organizations, asserted Steve Jeffrey, lead solutions engineer at Fortra, a global cybersecurity and automation company. “It represents a risk that can bypass existing security controls. Therefore, the protection relies on the recipient fully understanding the threat and not taking the bait,” he told TechNewsWorld.

Clicking on malicious URLs is still one of the top risks for account takeovers, he continued. He cited data from Fortra’s PhishLabs that showed in Q2 2023 that more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.

“Quishing is merely an extension of these phishing attacks,” he said. “Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack.”

Quishing for Credentials

Mike Britton, CISO of Abnormal Security, a global provider of email security services, agreed that quishing is a growing problem. He cited Abnormal data that found that 17% of all attacks that bypass spam and junk filters use QR codes.

He added that his company’s data also shows that credential phishing accounts for about 80% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

“Leveraging QR codes is an attractive attack tactic for malicious actors because the resulting destination that the QR code sends the recipient to can be difficult to detect,” Britton told TechNewsWorld.

“Unlike traditional email attacks,” he continued, “there is minimal text content and no obvious malicious URL. This significantly reduces the amount of signals available for traditional security tools to detect and analyze in order to catch an attack.”

“Because they can easily evade both human detection and detection by traditional security tools, QR code attacks tend to work better than more traditional attack types,” he said.

Embedded QR Threats

Randy Pargman, director for threat detection at Proofpoint, an enterprise security company in Sunnyvale, Calif., maintained that the number one reason malicious actors prefer QR codes over regular phishing URLs or attachments is because people who scan QR codes usually do so on their personal phone, which probably isn’t monitored by a security team.

“That makes it challenging for companies to know which employees interacted with phishing messages,” he told TechNewsWorld.

He explained that QR code phishing scams are challenging to detect because the phishing URL isn’t easy to extract and scan from the QR code. Adding to the problem, he continued, is that most benign email signatures contain logos, links to social media outlets embedded within images, and even QR codes pointing to legitimate websites.

“So the presence of a QR code itself isn’t a sure sign of phishing,” he said. “Many legitimate marketing campaigns use QR codes, which can allow malicious QR codes to blend into the background noise.”

Nicole Carignan, vice president for strategic cyber AI at Darktrace, a global cybersecurity AI company, added that the increased use of QR codes in phishing attacks is the latest example of how attackers are pivoting to embracing techniques that can thwart traditional defenses with greater agility and efficiency.

“Traditional solutions scan for malicious links in easy-to-find places,” she told TechNewsWorld. “In contrast, finding QR codes within emails and determining their appropriate destination requires rigorous image recognition techniques to mitigate risks.”

Best Practices for QR Code Safety

Carignan noted that Darktrace research has found that quishing attacks are often accompanied by highly personalized targeting and newly created sender domains, further decreasing the likelihood of the emails being detected by traditional email security solutions that rely on signatures and known-bad lists to detect malicious activity.

“The most common social engineering technique that accompanies malicious QR codes is the impersonation of internal IT teams, specifically emails claiming users need to update two-factor authentication configurations,” she said. “When setting up two-factor authentication, most instructions require users to scan a QR code. Thus, attackers are now mimicking this process to evade traditional secure email solutions.”

While there are many technology solutions aimed at addressing potential QR-code-based attacks, a simple rule may suffice for many individuals.

“When we talk to people about best practices around QR codes, one of the simplest rules you can follow is to ask yourself, is this QR code in a place where a bad person could post it?” advised Christopher Budd, leader of the X-Ops team at Sophos, a global network security and threat management company.

“If I’m walking through the food court in a mall, and there’s a sign that says, ‘Save 20% on all stores today. Scan this code.’ If I see that, I’m not going to use that QR code. I have no idea who put that sign there,” he told TechNewsWorld.

“When you’re talking about QR codes,” he added, “you have to know and trust its source.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
view all
happy young business man using the internet showing no negative affects on his mental health
Massive Study Discounts Adverse Effects of Internet on Mental Health
November 29, 2023
TV set-top box with remote control
Electronic Frontier Foundation Calls for FTC Action on Poisoned Set-Top Boxes
November 16, 2023
Microsoft Bing and Google search engine apps
AI Fails To Move Needle for Bing’s Share of Search Market
November 14, 2023
law enforcement officers investigating internet crime
Tech Coalition Launches Initiative To Crackdown on Nomadic Child Predators
November 8, 2023
Grok AI
AI With Attitude: Musk Venture Raises Curtain on ChatGPT Competitor ‘Grok’
November 7, 2023
Apple M3 chip series
Apple Sets New Bar for Competitors With Intro of M3 Chip Series
November 1, 2023
Big Tech manipulating public fears about AI
AI Expert Claims Big Tech Using Fear of AI To Scare Up Profits
October 31, 2023
TikTok app on smartphone
Gen Z, Millennials Turning to TikTok for Career Advice
October 25, 2023
Apple will spend billions on generative AI research and development
Apple Ready To Spend Billions To Catch AI Leaders: Report
October 24, 2023
cybersecurity and compliance team
IT and Security Leaders Baffled by AI, Unsure About Security Risks: Study
October 18, 2023
More in Cybersecurity
challenges and vulnerabilities of digital identity authentication
Casino Breaches Expose Why Identity Management Is at a Crossroads
November 2, 2023
passwordless computing
Google Takes Giant Step Toward Passwordless World With New Passkey Setting
October 11, 2023
emergency response law enforcement police 911 call center
Hacker Advocates Turning Tracking Tables on Law Enforcement
October 10, 2023
tech innovation
The Magic Presented at HP Imagine 2023
October 9, 2023
female millennial in office working on a tablet
Study Warns Age Bias Can Threaten Workplace Cybersecurity
October 3, 2023
More Linux Malware Means More Linux Monitoring
September 15, 2023
passwordless computing
The Realities of Switching to a Passwordless Computing Future
September 5, 2023
IT Managers
Cyber Insurance Costs Rising, Coverages Shrinking: Report
August 29, 2023
A new report on identity theft reveals an alarming increase in suicidal thoughts among victims, emphasizing the profound personal toll of ID theft.
Growing Number of ID Theft Victims Mulling Suicide, ITRC Reports
August 23, 2023
artificial intelligence
Generative AI Riding Crest of Gartner Hype Wave
August 17, 2023

How do you most commonly dispose of electronics?
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

DiagnosUs App Uses Gamification To Fill Gaps in Medical Education

Audio/Video

Audio/Video

AnkerWork PowerConf C300 Webcam Delivers AI-Powered Excellence in a Compact Design

Chips

Chips

It’s About To Become Much Harder To Choose the Right PC

Computing

Computing

Chip Wars of 2024: Will a Cell Phone Take the Laptop Crown?

Cybersecurity

Cybersecurity

Casino Breaches Expose Why Identity Management Is at a Crossroads

Data Management

Data Management

The Realities of Switching to a Passwordless Computing Future

Developers

Developers

Wind River Linux Drives New Solutions for Software-Defined Vehicles

Emerging Tech

Emerging Tech

AI Fails To Move Needle for Bing’s Share of Search Market

Exclusives

Exclusives

More Linux Malware Means More Linux Monitoring

Gaming

Gaming

Impressions of Meta Quest 3: The Must-Have VR Gift for the Holidays?

Hacking

Hacking

Hacker Advocates Turning Tracking Tables on Law Enforcement

Hardware

Hardware

Apple Sets New Bar for Competitors With Intro of M3 Chip Series

Health

Health

New Commercial Operating Models Needed To Advance Life Sciences Tech

Home Tech

Home Tech

Noorio B310 AI-Powered Camera Spotlights Better Outdoor Security

How To

How To

Leverage the Power of Data To Monitor Home Energy Efficiency

Internet of Things

Internet of Things

How Low-Code/No-Code Platforms Can Help Manufacturers Embrace IoT

IT Leadership

IT Leadership

IT and Security Leaders Baffled by AI, Unsure About Security Risks: Study

Malware

Malware

Cyber Insurance Costs Rising, Coverages Shrinking: Report

Mobile Apps

Mobile Apps

Gen Z, Millennials Turning to TikTok for Career Advice

Operating Systems

Operating Systems

Qualys Discovers Critical Linux Flaw ‘Looney Tunables’

Privacy

Privacy

Tech Coalition Launches Initiative To Crackdown on Nomadic Child Predators

Reviews

Reviews

AnkerWork B600 Video Bar Lights Up a Better Conferencing Experience

Science

Science

SatCo Makes First 5G Call via Satellite Using Everyday Smartphone

Search Tech

Search Tech

Google Invites Public To Test Drive Its AI Chatbot Bard

Servers

Servers

Disorganization, Not Cost, Fuels the IT E-Waste Crisis

Smartphones

Smartphones

Qualcomm Takes Aim at Redefining Mobile and PC Technology

Social Networking

Social Networking

Musk Rolls Dice With Drastic Rebranding of Twitter

Space

Space

DARPA Moves Forward With Project To Revolutionize Satellite Communication

Spotlight Features

Spotlight Features

Modern EdTech Goes Beyond Coding to Career Preparedness

Tablets

Tablets

One More Thing…Apple Unveils Vision Pro Mixed-Reality Headset at WWDC23

Tech Buzz

Tech Buzz

AI With Attitude: Musk Venture Raises Curtain on ChatGPT Competitor ‘Grok’

Tech Law

Tech Law

The Problem With Suing Gen AI Companies for Copyright Infringement

Transportation

Transportation

Study Finds EV Battery Replacement Rare, Most Covered by Warranty

Virtual Reality

Virtual Reality

Apple Vision Pro and Why the Goovis G3 Max May Be Better

Wearable Tech

Wearable Tech

Apple Sets the Bar for Virtual Launch Events

Women In Tech

Women In Tech

‘Women Don’t Play’ Confronts Gender Disparity in the Tech Industry

More from ECT News Network

E-Commerce Times

Finding the Right Loan for Your E-Commerce Business
Finding the Right Loan for Your E-Commerce Business
December 4, 2023
The Power of Bundling To Maximize Sales This Holiday Season and Beyond
The Power of Bundling To Maximize Sales This Holiday Season and Beyond
November 30, 2023
Survey Reveals Top 10 Metro Areas for Porch Pirate Package Theft
Survey Reveals Top 10 Metro Areas for Porch Pirate Package Theft
November 28, 2023

LinuxInsider

The Last Digitally-Free Nation on Earth
The Last Digitally-Free Nation on Earth
November 9, 2023
Wind River Linux Drives New Solutions for Software-Defined Vehicles
Wind River Linux Drives New Solutions for Software-Defined Vehicles
October 31, 2023
Qualys Discovers Critical Linux Flaw 'Looney Tunables'
Qualys Discovers Critical Linux Flaw 'Looney Tunables'
October 4, 2023

CRM Buyer

Landing Intelligent Customer Service
Landing Intelligent Customer Service
November 29, 2023
Changing CX Trends Drive Need for Advanced Digital Support
Changing CX Trends Drive Need for Advanced Digital Support
November 28, 2023
CRM's AI Singularity
CRM's AI Singularity
November 16, 2023