QR codes, also known as Quick Response codes, have become increasingly popular in recent years. They are a convenient and versatile way to access information, such as menus, product information, and website content. However, QR codes can also be used for malicious purposes, such as phishing.
QR phishing is a type of phishing attack that uses QR codes to trick victims into revealing sensitive information or downloading malware. Scammers may send phishing emails with QR codes, place malicious QR codes in public places, or even post them on social media.
If you're not careful, you could end up scanning a QR code that takes you to a fake website or downloads malware onto your device. Once that happens, it's game over for your data.
The Modus Operandi
Attackers use urgency, impersonation, and domain spoofing to bypass email security.
In a recent phishing attack observed by Cyber Security Associates and other cyber security companies, attackers sent emails usually from different sender and envelope addresses, all with common features. The emails convey a sense of urgency, either through the subject line or by marking the email as high priority. Some of the emails directly refer to two-factor authentication (2FA) enabling or QR code activation, and some of them impersonate the company's internal IT or HR team by inserting the company domain alongside strings like "it-desk" and "hr-manager" in the sender field.
Attackers use various techniques to draw attention to the email and maximize the chances that it is opened and engaged by the recipient.
To make sure the emails reached the intended inboxes, the attackers use several tactics:
- - Emails sent from legitimate sender addresses to successfully pass SPF validation, SPF is an email authentication method that tells the receiving email servers whether emails have been sent from authorized servers for a given domain. Without SPF validation, emails are more likely to be categorized as spam and be sent to the junk folder.
- - Emails, which also pass SPF checks, use a legitimate domain in the header-from address field but are actually sent from a different domain. This shows a high level of targeting from the attackers, who likely hoped that this detail would make the email more familiar and less suspicious
- - In some cases, the sender domain has been created recently, thus lowering the chances of there being open-source intelligence (OSINT) available on the domain. This reduces the chances of the email being detected by traditional email security solutions relying on signatures and known-bad lists.
- - The legitimate domain such as “amazon.com” or “Microsoft.com” is being used as a link with parameters to redirect the user to malicious site (Figure 1).
- - The threat actors use QR codes embedded in images to bypass email security tools that scan a message for known malicious links, allowing the phishing messages to reach the target’s inbox.
The example URL which can be found in a malicious QR code.(cofense.com, 2023):
Why does this Matter?
QR phishing attacks can target consumers and enterprises alike.
While QR phishing attacks have often targeted individual consumers, businesses and their employees are also at risk. Email-based QR phishing campaigns, such as the ones uncovered by HP and Abnormal Security researchers, can target enterprise accounts for credential theft or malware distribution.
In other words, QR phishing attacks can be used to steal employee login credentials or install malware on company devices. This can give attackers access to sensitive business data, such as customer information, financial records, and trade secrets.
The email delivery of the QR code is not the only way attackers target potential victims. Well known vectors of attack can come in a form of:
- - Parking meter payment QR code, at which point the attackers collect the payment details of the victims as well as charging the parking fee. The victims of this kind of attack often find themselves with parking penalties to pay as well as fraudulent transactions on their accounts.
- - Bank phishing scams, this can come in a form of QR code encouraging the user to download banking app or sign-up for additional services, giving the attackers all necessary details of their account and access codes.
- - Cryptocurrency transactions and wallets – the world of cryptocurrency is filled with QR codes. These are the easiest way of sharing payment wallets or links with another person. Considering that the users of crypto currencies are trained to scan QR codes to perform transactions, it is relatively easy for them to fall victim to such attack.
- - Imposters – this attack is a lot easier in post COVID-19 times to conduct, when all people are used to scan various QR codes, some branded and some not, with various layouts and for various things, such as menus, booking a table in a restaurant, purchasing tickets etc. This exposes the users to an attack were they might be duped into thinking that they scanned QR code for legitimate vendor yet the link they are being taken too although looks almost exactly the same is actually malicious. This way the payment details might be stolen and online accounts taken over in similar fashion as the QR codes sent via email.
QR codes scams can be encountered in emails, in text messages, on signage, on direct mail and even in person from criminals posing as utility workers or government employees.
How to Protect Yourself
QR phishing attacks can be effective, but there are ways to mitigate the risk.
Identifying a fraudulent QR code is difficult. In fact, many don’t even know that fraud can happen through a QR code.
While QR phishing attacks can bypass some security protections, they still require the victim to take action to get compromised. This gives well-trained personnel an opportunity to identify and avoid these attacks.
Additionally, most QR code scanners on modern smartphones will ask the user to verify the destination URL before launching the browser. This is another protective step that can help to mitigate the risk of QR phishing attacks.
Here are some tips to help you protect yourself from QR phishing attacks:
- - Be careful about scanning QR codes, especially if they are in public places or come from unknown sources.
- - Hover over QR codes before scanning them to see the actual URL that the QR code leads to. If the URL doesn't look right, don't scan it. The URLs can be complex as presented by Figure1 earlier on in the article, if the URL is hard to decipher and read stay on the side of caution and do not scan it.
- - Educate yourself about QR phishing attacks and how to identify them.
If you are unsure about whether or not a QR code is safe to scan, it is best to be on the side of caution and not scan it. There are QR decoders available online, although you have to be careful as some of these services might be malicious in its own right.
If your organisation is affected by regular or large number of attempts you can always contact Cyber Security Associates to see how we can help you with investigation and mitigations.
QR phishing is a growing threat, and it is important to be aware of the risks and take steps to protect yourself. Here are some conclusions to draw from the article on QR phishing:
- - QR phishing attacks can be very effective, as they can be used to bypass some security protections and trick people into revealing sensitive information or downloading malware.
- - QR phishing attacks can target both consumers and enterprises.
- - There are a number of things that individuals and organizations can do to mitigate the risk of QR phishing attacks, such as educating employees, using security solutions that can detect and block malicious QR codes andimplementing multi-factor authentication (MFA).
If you think you may have been a victim of a QR phishing attack, you should immediately change your passwords and contact your bank or credit card company. You should also scan your computer for malware.
By following these tips, you can help to protect yourself from QR phishing attacks and keep your data safe or contact Cyber Security Associates to discuss possible solutions for your organisation.