There has been a sharp increase in QR code based phishing attacks – or ‘quishing’ – according to Check Point’s Harmony Email team.
Quishing is a growing form of phishing attack that encourages users to scan a QR code that takes them to a page where they provide credentials that can then be used for data theft.
These QR code phishing scams, also called ‘cushing’, use the code to share a malicious link, impersonating legitimate companies and organisations.
Harmony Email researchers have issued a warning about the increasing risk of quishing attacks, saying that almost all of their customers had been impacted by these attacks, which were shown to have increased by 587% between August and September 2023.
Type: Credential Harvesting, Quishing
Techniques: Social Engineering
Target: Any end-user
The evolution of the QR Code
The QR code is far from being new technology. The first QR code was released in 1994 by the Japanese company Denso Wave, a subsidiary of Toyota, to track automobile parts during the assembly process. The codes were designed to improve speed and efficiency, with the QR in the name standing for Quick Response.
QR codes quickly became popular, as a much-hyped new way of connecting hard copy with the digital world. But then, their popularity began to decrease, when the UX didn’t live up to expectations and users felt uncertain about how they worked. During the 2010s, it looked as though the QR code was dying out.
In 2020, of course, all that changed and QR codes proliferated with the COVID-19 epidemic. They offered a contactless way to reach forms and information, and scanning became more accessible via smartphone cameras with built-in scanners. The technology was demystified overnight and quickly became part of our everyday lives.
By 2021, we were comfortable with QR code technology. But were we too comfortable? The codes became easier to use and simple to format with logos, colours or the images of your choice. And here is the problem – we don’t see what we are linking to until it’s too late. As Check Point researchers explained, even though QR codes may appear to be innocuous at first, they are “a great way to hide malicious intentions” lending themselves to be used by cybercriminals to hide fraudulent links.
In one example of a quishing attack, Check Point describes how QR codes can be sent through emails. An email notification informing the user that Microsoft’s Multi-Factor Authentication (MFA) is about to expire is used as a decoy, encouraging the user to re-authenticate. malicious actors insert a QR code into an email with a fraudulent link that leads to a credential collection page. Once the user scans the said QR code, a page that mimics the legitimate Microsoft credentials page opens, and although it looks similar, instead it facilitates credential theft.
How to Protect Yourself from Quishing
Check Point has shared some recommendations to combat quishing. These include implementing an email security system that uses optical character recognition (OCR) to convert the image to text and identify a potential attack.
OCR needs to be added into a capability to detect QR codes, translate them to the URL that hides behind the code and run that through URL analysis tools. Check Point company Avanan describes how they use a QR code analyzer in their OCR engine. “It identifies the code, retrieves the URL and then tests it against our other engines. Once OCR converts the image to text, our NLP is then able to identify suspicious language and flag it as phishing.”
To guard against these attacks, Avanan’s Jeremy Fuchs says that security professionals should:
- Implement email security that leverages OCR for all attacks, including Quishing
- Implement security that uses AI, ML and NLP to understand the intent of a message and when phishing language might be used
- Implement security that has more than one way to identify malicious attacks
As Check Point Software’s technical director for Spain and Portugal, Eusebio Nieva, said: “Cybercriminals are always trying new tactics, other times reviving old methods. Sometimes, they use legitimate elements like QR codes,” adding that the very presence of a QR code in the body of an email needs to be seen as a potential “indicator of an attack.”
According to Red Education’s Senior Instructor, Tsung Chung, we all need to take more care when we are using QR codes. “They make life so easy and most of us don’t think twice before scanning and entering our details into a form. In our everyday lives, we need to keep an eye on the URLs the code is taking us to and look out for obvious signs such as a sticker substituting a new code or the presence of a QR code in a scanned document. The humble QR code may not be as innocent as it appears,” said Tsung Chung.