Be Aware – QR Codes Have Become a Vector for Phishing Attacks. By Liliana Kotval
Malicious attacks have been commonly initiated via dangerous links or attachments in emails and text messages. However, now there is another, recently developed form of scamming to be aware of: QR codes. QR code phishing attacks, known as “quishing”, have been rising sharply in number worldwide; from August to September of this year, there was a steep 427% increase in the use of malicious QR codes, and furthermore, these attacks jumped from making up just 0.4% to 8.8% of all malicious incidents. (1)
From Perception Point (2)
Most often, QR codes captured with a smart camera translate into website URLs, apps or map addresses. However, just as these QR codes can be very useful in providing a quick pathway to a website, they can also link to fraudulent websites with malicious software or fraudulent payment gates. The sheer easiness of creating a QR code means that almost anyone could distribute it not only via emails or websites, but also in physical printed copies plastered to a wall or bulletin board throughout cities.
In reality, quishing attacks are another form of traditional scamming through generating malicious links. Cyber criminals have been relying on emails with dangerous links or attachments to scam their targets, and now via QR codes, however, unlike the previous methods, malicious QR codes appear to be identical to their normal counterparts. Additionally, in emails, since most QR codes are attached via PNG or PDF files, they are more likely to bypass existing security walls in email applications than malicious links that have been inserted in an email’s body. It is important to take the same precautions with a QR code as with an unknown email: avoid QR’s that come with a message of urgency to verify one’s identity or take advantage of a limited time offer, keep software up to date, analyze the environment in which the QR code is posted (restaurants and reputable websites will be less likely to post fraudulent codes), and use a QR scanner with security protection. (3)
Nevertheless, no context is entirely safe to trust the intention of a QR code, whether in emails, on websites, in restaurants, or on posters. With the origins of the rise of malicious QR codes during the COVID pandemic, scammers were able to replace restaurant menu QR codes to steal personal and payment details of customers. The FBI released a public service announcement in January of 2022 to warn civilians of the increase in reporting in the US of these fraudulent activities. (4) Furthermore, last month in Newcastle, UK, scammers placed malicious QR codes in city car parks, leading to victims paying £60 each once scanning the QR (5). A similar startling case also from last month in the UK showcases an elderly woman losing £13,000 after scanning a fraudulent QR covering the genuine one in a railway station car park. (6) Through just a quick scan of the code, the scammers were able to set up an online banking account on her device, take out a loan, block her credit card and change its payment address.
Malicious QR codes can be sneakily placed, and have even been used to scam multinational companies, including a U.S. energy company that suffered the biggest QR code phishing attack seen in August this year. 1,000 emails embedded with a malicious QR code were distributed to the company, while also targeting firms in manufacturing, insurance, technology, and financial services (7). Most of the phishing emails contained PNG image attachments of a QR code that then redirected to malicious Bing URLs. This was the first time QR codes had been used at this scale, and in the future, these types of attacks are expected to increase in commonality as a viable attack vector. Employees of companies should now be further trained to be wary of QR codes in emails, especially those embedded in PNG or PDF files.
The way quishing attacks are crafted- through encoding phishing links in redirects- is nothing new. However, what is new is how hackers are using a trusted domain, that has been used by millions of people since the 2010’s, to carry out attacks that cannot be easily distinguished as phishing. The ability to hide URLs inside QR codes in a PNG or PDF file means that quishing emails are more likely to bypass security and make it to inboxes. Attacks are becoming more and more clever; we must also be just as diligent in keeping up to date with the latest trends and identifying what should and should not be trusted.
(1) „QR Code Phishing (Quishing) Attacks Have More Than Quadrupled in Just One Month”, Perception Point, 23.10.2023, https://perception-point.io/blog/qr-code-phishing-quishing-attacks-have-more-than-quadrupled-in-just-one-month/
(3) „In the Wrong Hands, QR Codes Are a Dangerous Threat to Your Mobile Device Security”, University of Virginia, https://security.virginia.edu/QRHack#:~:text=QR%20hacking%20is%20just%20another,not%20always)%20safe%20to%20scan
(7) Nathaniel Raymond, „ Major Energy Company Targeted in Large QR Code Phishing Campaign”, Cofense, 16.08.2023, https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/