top of page

Resources

What is Quishing? QR Code Phishing Attacks


Learn about quishing QR code attacks and what you can do to recognize them and mitigate their risks.
Learn about quishing QR code attacks and what you can do to recognize them and mitigate their risks.

Phishing, and the effects of falling for a fraudulent email scam, can be devastating for

your company. Fraudulent emails (phishing), texts (smishing), and voice phishing

(vishing) are incredibly successful in tricking users into responding or giving out

information, sometimes even login credentials.


And now, we have quishing to worry about.


Quishing is a type of phishing attack that uses a QR (quick response) code the same way

that links are used to disguise a malicious destination.


A QR code is a kind of two-dimensional barcode that holds encoded data in a graphical

black and white pattern. The data a QR code stores can include URLs, email addresses,

network details, Wi-Fi passwords, serial numbers, and more.[1]


The term "quick response" refers to the purpose of a QR code being scanned in order to

access data; this process happens very quickly. Legitimate QR codes are frequently sent

through email, and because of this, malicious QR codes are often abused by those who

use email as part of phishing cyberattacks.



An example of a QR code. This one leads to Deer Brook Consulting's home page.
An example of a QR code. This one leads to Deer Brook Consulting's home page.

While QR codes are generally safe, they can easily be manipulated by scammers. To the

human eye, all QR codes look similar. But a malicious QR code can lead you to a spoofed

website with malware, and can steal your sensitive data like passwords and credit card

information.



Quishing Scam Examples

Generally, mobile devices aren't as well protected as workstations on a company

network. This makes using QR codes as an attack vector very advantageous, especially in

BYOD environments.


Various quishing scams. They often come in the form of multi-factor authentication and urgent scam emails.
Various quishing scams. They often come in the form of multi-factor authentication and urgent scam emails.

Scammers often trick mobile device users into scanning QR codes that directing them to

fake Microsoft 365 login portals to harvest their credentials. Those stolen credentials

are then used to take over a user network account.


Very importantly, many current email security solutions do not screen QR codes in

emails as they do website URLs. With QR codes, a URL isn't exposed within the body of

the email. This approach renders most email security scans ineffective.



A holiday-themed quishing scam. Be prepared for festive offers and invitations using QR codes.
A holiday-themed quishing scam. Be prepared for festive offers and invitations using QR codes.


Quishing Mitigation and Countermeasures

Preventing phishing attacks begins with in-depth defense.


The first layer of protection for any enterprise will likely be at its email server, which will

have an internet connection.


Ensuring that your mail server is configured to filter unwanted emails, or an additional platform (like a spam gateway filter) being integrated into your information infrastructure, will serve this purpose.[2] This won't prevent all phishing emails, but it will strip away some unwanted traffic.


Secondly, awareness training for end users is imperative. End users should be trained to

detect phishing emails and to interact with all email with a healthy degree of skepticism.


Phishing emails are designed to capture the attention of a prospective victim, and there

are many common themes that attempt to do this:

  • A reference to an invoice (with an attachment).

  • A request for personal information.

  • A report of "suspicious activity" or login attempts on an account the victim may have.

  • A reference to a payment (especially a late payment), with links provided to pay.

  • A coupon or discount on products or services that the victim may be interested in.

  • A government refund.


Other indicators of a potential phishing attempt include a suspicious sender's address,

generic greetings, spoofed links, improper grammar and spelling, and suspicious

attachments.


The third layer of protection is multi-factor authentication; it's essential. This will

protect against stolen credentials, which can be the initial purpose of a phishing attack.

MFA will not, however, prevent malware from being dropped on a victim's system.[2]


These tips should be added to user safe email handling training:

  • Do not scan randomly found QR codes.

  • Be suspicious if a site scanned from a QR code asks for a password or other login info.

  • Do not scan QR codes received in emails or text messages unless you know they are legitimate. Call the sender to confirm.


Some scammers are physically pasting bogus codes over legitimate ones. If it looks as

thought a code as been tampered with, do not use it. The same caution applies to

legitimate ads that you pick up or get in the mail.



How to Analyze Reported Quishing

If you're part of a security team or working as a security analyst and receive a report

from an employee in your company about a suspicious email containing a QR code, it's

imperative to approach the situation with caution. Directly scanning the QR code with

your phone is not advisable, due to the unknown and potentially harmful URL it may

contain.


Nevertheless, as a security analyst, it's crucial to delve deeper to comprehend the

attack's nature, aiming to prevent future similar attacks and possibly hunt for successful

attacks within the organization.


To achieve this, it's essential to analyze where the QR code redirects to, ensuring to do so securely.


Here are two steps you can take to investigate a potential quishing attack:

  1. Extract images from the reported email.[3]

    1. Ensure you download all images separately from the reported email. This includes those embedded within attached PDF files or forwarded .eml or .msg files, especially if the email has been forwarded to you.

  2. Safely scan images for QR codes and extract URLs.[3]

    1. Scan all images for QR codes by using a 3rd party QR code scanning service, such as qrcoderaptor.com, extracting the corresponding URLs without directly following the link. This prevents unintended exposure to malicious content.



References

  1. “QR codes used to phish for Microsoft credenti…” Malwarebytes. 21 August 2023

  2. “Quishing Triage 101: How to Investigate Suspicious Q…” Intezer. 4 October 2023

  3. "QR Code-Based Phishing (Quishing) as a Threat to the…” HHS. 23 October 2023

  4. “Explained: Quishing” Malwarebytes. 13 October 2023

Comentários


bottom of page