Quishing: Tricks to look out for
QR code phishing – aka “quishing” – is on the rise, according to HP, Darktrace, Malwarebytes, AusCERT, and many others.
What are QR codes?
QR codes are two-dimensional matrix barcodes used for tracking products, identifying items, simplifying actions such as connecting to a wireless network or setting up multi-factor authentication for accounts, and delivering specific content to mobile users (e.g., by opening a web page/app on the user’s device).
By now, most people know what a QR code looks like and that they need to scan it to get to information “embedded” in it.
Unfortunately, not many users know that QR codes are not inherently safe and may be used for malicious purposes.
QR code phishing: Examples and tactics
QR phishing usually comes via email and contains a QR code pointing to a phishing or scammy web page.
Quishing emails generally impersonate a credible company and ask users to scan the QR code in their email.
“For example, they may say that your payment from an online purchase didn’t go through, and you need to re-enter your credit card information by scanning the QR code. Unsuspecting victims will scan the QR code, enter a legitimate-looking website, and enter their payment information,” Microsoft explains.
When the targets are corporate executives or employees, they are more likely to lead – usually through a series of open redirects – to a fake Microsoft 365 account login page.
Microsoft-themed quishing email (Source: Kaspersky)
AusCERT recently conducted an analysis of email samples submitted by its member organisations, and found that most of them were made to look like they originate from a manager within the respective organisation.
“AusCERT observed that the QR code embedded within the email contained a URL leading to a deceptive website impersonating reputable brands or organisations such as Microsoft,” the Australia-based CERT said.
DarkTrace has recently listed patterns and similarities in the QR code phishing emails that they’ve seen:
- The emails conveyed a sense of urgency
- Some of the emails directly referred to two factor authentication (2FA) enabling or QR code activation, looked very convincing, and looked like they are coming from the organization’s IT department
- Some of the emails came from legitimate compromised accounts
- One email was made to look like it was coming from a company recently acquired by the targeted company
“Another characteristic shared by these emails was that they had little to no text included in the body of the email and they did not contain a plain text portion,” the researchers noted.
“This hinders textual analysis and filtering of the email for suspicious keywords and language that could reveal its phishing intent.”
Additional tactics used to bypass email security gateways include malicious redirection via benign services’ domains and malicious links contained in attachments.
Is quishing effective?
A recent test of employee security awareness performed by Hoxhunt revealed that only 36% of almost 600,000 employees of varying levels of seniority successfully identified and reported the phishing email carrying a QR code.
“More than half failed to recognize it as a threat, while another 5% of employees actually scanned the QR code or clicked a link,” the company said.
An anecdotal report by a security professional that ran a QR code phishing simulation against their organization’s employees tells of a similar scan/click rate: 6%.
While security pros are discussing online which third-party solutions, mail flow rules and filters, queries and tricks can prevent QR code phishing emails reaching their colleagues’ inboxes, one thing is obvious: phishing awareness trainings should be updated to include the threat of quishing.
Quishing is phishing with a twist, so the usual advice for recognizing phishing still applies. But users should be made aware that phishing emails (and text messages, and social media messages) can also include malicious QR codes.
Users should be told to be extra careful when evaluating the legitimacy of emails carrying QR codes. They should preview the URL behind the QR code before clicking and use a QR code scanner with built-in security features.