Cybercriminals are launching incredibly sophisticated "quishing” campaigns armed with malicious QR codes. Attack volumes have grown 2,400% since May, including an attack on a large U.S. energy firm. These latest attacks hide redirect links that send users to a phony web page to steal their credentials.
Our researchers have found that nearly all of our customers have been targeted by these QR code attacks.
And it’s not just email—it's also mobile.
These attacks are everywhere and they are worldwide in nature.
In this attack brief, Harmony Email researchers will discuss how hackers are utilizing QR codes to obtain credentials and will showcase the global nature of these attacks.
Attack
In this attack, hackers are sending QR codes that lead to credential harvesting pages.
- Vector: Email
- Type: Credential Harvesting, Quishing
- Techniques: Social Engineering
- Target: Any end-user
Email Example
This is a standard Quishing attack that we’ve seen countless of in recent weeks.
The main idea is to create a QR code that goes to a credential harvesting page. The email itself is in Spanish.
Here’s the English translation of this email:
Update your email account
Hello,
I'm from the Microsoft account team.
We inform you today that we are updating our email system. To keep your account active, you will need to scan the barcode below and follow the Microsoft URL in the barcode to update your account information.
Please update your account information immediately.
If you do not update your account information, your email account will be deactivated.
In case of any difficulty, let us know and we will be here to help you.
Thanks for your cooperation,
The Microsoft account team.
Like any standard credential harvesting email, this is trying to get you to take urgent action. Only if you act now will you keep your account.
Of course, it’s that kind of urgency that leads end-users to make mistakes.
Techniques
QR codes are simple and a part of our daily lives, particularly after the pandemic. But despite its simplicity, it’s effectively a hidden trick. The image is hiding a link. The end-user can’t see what’s behind the QR code. Only the computer, or often the phone, can decode the image to see that there’s a link behind it.
But because users trust QR codes so much, we scan them without really thinking. Think about your daily life. If you went to a restaurant today and the menu was behind a QR code, would you think twice? Probably not.
So for hackers, this presents an intriguing medium. You have the built-in trust of end-users. All you have to do is craft a convincing email that spoofs something like Microsoft and you have a well-crafted phishing email.
Even more crafty would be utilizing QR codes from emails that come from legitimate sources.
Malicious QR codes can also be difficult to detect. For QR codes, we use our QR code analyzer in our OCR engine. It identifies the code, retrieves the URL, and then tests it against our other engines. The existence of a QR code in the email message body indicates an attack. Once OCR converts the image to text, our NLP is then able to identify suspicious language and flag it as phishing.
In short, until more security solutions can reliably detect malicious QR codes, these attacks will continue to hit companies of all sizes.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Implement email security that leverages OCR for all attacks, including Quishing
- Implement security that uses AI, ML, and NLP to understand the intent of a message and when phishing language might be used
- Implement security that has more than one way to identify malicious attacks
