Use of QR Codes in Phishing Campaigns is on the Rise
QR codes are quickly becoming a favorite tool of bad actors looking to launch phishing attacks, with one cybersecurity vendor saying the strategy appeared in 22% of phishing campaigns it detected in the first weeks of October.
The numbers collected by Hoxhunt feed into the growing amount of data detailing the rise of such QR-based phishing – or “quishing” – campaigns being run by threat groups.
“As QR codes have gained popularity, their use has expanded to include everything from mobile payments to access control and even document sharing,” Eliott Tallqvist, product marketing specialist at Hoxhunt, wrote in a report released today. “The only problem? Because of their convenience, they easily hide risk. In a world where no email, text message, or website is safe from cybercriminal activity, it was only a matter of time before QR codes became part of the equation.”
Hoxhunt’s report came a day after SlashNext, whose products protect against business email compromise (BEC) and similar threats, outlined the different ways bad actors are using malicious QR codes.
QR – or quick response – codes have been around for almost three decades, but their use has ramped up in recent years with the ubiquitous of smartphones and, more recently, during the COVID-19 pandemic, when the small little boxes could be used as no-touch alternatives to restaurant menus, for example.
“QR codes offer several advantages over traditional barcodes, including the ability to store a large volume of data, the ability to be scanned even if partially damaged, and the convenience and speed of data transmission,” SlashNext’s Daniel Kelley wrote. “As a result, QR codes have found their way into various aspects of our lives, from advertising and marketing campaigns to contactless payments and accessing websites with ease.”
Quishing, QRLJacking and Other Threats
The range of QR-based attacks include quishing, where the hacker generates a QR code that either has a phishing link or malware download, he wrote. The malicious code is distributed through phishing emails, ads, restaurant menus, or other avenues. If a person scans the code, they are sent to a phishing site where their credentials or personal information is stolen or the malware is downloaded onto the device.
There also is QRLJacking, through which a bad actor can get complete control of the victim’s account by luring the user to click on a malicious QR code sent to their mobile device.
Kelley wrote of a recent spike in QR code-based phishing attacks, adding that “given the growing dependence on QR codes across various sectors and the ease of manipulating them, it is highly likely that quishing attacks will continue to increase in popularity among cybercriminals.”
Rick Hanson, president of privileged access management vendor Delinea, said that shouldn’t come as a surprise.
“QR codes have always been extremely risky, and they are more frequently used in our daily lives now than ever before,” Hanson told Security Boulevard in an email. “Amplified use means that cyber criminals are going to try to exploit them more regularly as well. QR codes can be as easily used for phishing as an email, text, or other technique.”
A Long-Running Attack
Cybersecurity company Cofense in August detailed a months-long phishing campaign that used QR codes to bypass security controls and to steal Microsoft account credentials from victims at companies found in a range of industries. A major energy firm was targeted by almost a third of the 1,000 quishing emails sent by the threat actors.
In a report earlier this month, security company Critical Start listed the Microsoft-targeted quishing campaign among its top 10 security threats in the second half of the year.
While that campaign may have caught headlines, there have been others. Proofpoint researchers Tim Bedard and Tyler Johnson in a report in early October wrote about a phishing attack using a QR code that targeted an agriculture company with more than 16,000 employees.
“QR Code phishing represents a new and challenging threat,” they wrote. “It moves the attack channel from the protected email environment to the user’s mobile device, which is often less secure. With QR codes, the URL isn’t exposed within the body of the email. This approach renders most email security scans ineffective.”
QR Codes and the Hoxhunt Challenge
It was that growing use that convinced Hoxhunt to make QR code threats a central part of the Hoxhunt Challenge, a project aimed at quantifying the cybersecurity risks linked to human behavior at large companies. The challenge launched in September with 38 Hoxhunt customers in nine industries with operations in 125 countries. Almost 600,000 employees were involved in the event.
“The tricky thing about QR codes is that although they can be easy to use, they’re also proving incredibly easy to abuse,” Hoxhunt’s Tallqvist wrote.
The vendor’s project involved simulating QR-based phishing attacks to test how ready the employees – who were unaware of the test – would respond. After three weeks, the test found that 36% of employees receiving the simulated quishing messages identified and reported the attack, while more than half failed to recognize the threat and another 5% scanned the malicious QR code or clicked on a link.
“Put into real-world context that would mean that a majority of organizations would be left vulnerable, if not completely compromised, by a similar phishing attack,” he wrote.
Hoxhunt stressed the need for continuous training for employees, something the security industry has done well when it comes to phishing, according to Georgia Weidman, security architect at mobile security company Zimperium.
Still, “users, as a general rule, do not yet understand that any mechanism that can deliver a URL can be used to phish,” Weidman told Security Boulevard in an email. “This includes QR codes. Security awareness practitioners and phishing bad actors have been in an arms race for years and, at least for the foreseeable future, the only thing that we can truly depend upon is that, one, the phishers will try to find every possible path to deliver phishes and, two, some users will attempt to follow the phishing links.”