Introduction
In recent years, a novel cyber threat known as “quishing” has emerged [3], exploiting QR codes in email communications to bypass traditional phishing security measures. This threat is particularly concerning due to its ability to evade detection and the increasing sophistication of these attacks.
Description
Approximately 60% of emails containing QR codes are classified as spam [1] [4], with a smaller fraction of these containing malicious QR codes that link to phishing pages [4], particularly those disguised as multifactor authentication (MFA) requests [4]. A new type of cyber threat known as “quishing” has emerged [3], where attackers exploit fraudulent QR codes embedded in PDF email attachments to bypass traditional phishing security measures. These attackers often embed QR codes in communications that appear to be related to payroll or employee benefits, tricking employees into scanning them with their mobile devices [5]. When scanned, these QR codes direct users to phishing sites designed to capture passwords and MFA tokens [5].
Despite QR codes constituting only 0.01% to 0.2% of global email traffic—approximately one in every 500 emails—they are notably effective at evading anti-spam filters, leading to a skewed perception of the issue [4]. The challenge in detecting malicious QR codes arises from their representation in images [4], complicating identification and filtering by anti-spam systems. Effective detection requires recognizing QR codes within images [4], decoding them [4], and analyzing the resulting links [4]. As anti-spam technologies advance [4], attackers have adapted by employing deceptive techniques, such as using Unicode characters to create QR codes that are harder to detect [4]. Additionally, the creation of “QR code art,” where functional QR codes are integrated into visually appealing designs [1], further complicates detection efforts [4].
Research indicates that the volume and sophistication of these attacks are increasing [2], with improved quality in the emails [2], attachments [2] [3] [4] [5], and QR code graphics [2]. Some malicious actors are now offering tools as a service to facilitate phishing campaigns using these QR codes [2], including features designed to evade automated threat detection [2], such as CAPTCHA bypasses and IP address proxies [5]. Users often exhibit less caution when scanning QR codes compared to clicking on suspicious URLs [4], which poses a significant risk [4]. Scanning an unknown QR code can lead to phishing sites or malware [4], similar to the dangers of clicking on dubious links. To mitigate risks associated with QR codes [3] [4], users are advised to treat scanning as equivalent to clicking on an unknown hyperlink [4]. Utilizing online QR code decoders can help users inspect the encoded data before scanning [4]. Tools like Cisco Secure Malware Analytics (Threat Grid) allow users to navigate to URLs safely without compromising their device security [4]. It is crucial to avoid entering personal credentials on unknown sites and to navigate directly to trusted websites instead [4].
To enhance defenses against such attacks [2], organizations are encouraged to be cautious of internal emails related to HR topics [3], install secure QR code scanners like Sophos Intercept X for Mobile [3] [5], monitor for unusual sign-in activity [3], and enable Conditional Access to enforce access controls [3]. Advanced email filtering solutions are recommended to detect fraudulent QR codes in emails and attachments [3]. Organizations should also encourage employees to report suspicious incidents promptly and have a plan to revoke access for compromised user sessions [3]. By implementing these measures [3], organizations can better protect themselves against the risks associated with QR code phishing attacks [3]. Sophos plans to expand its QR code phishing protection to include codes in attachments by early 2025 [5].
Conclusion
The rise of “quishing” represents a significant challenge in the realm of cybersecurity, as attackers continue to refine their methods to bypass existing defenses. The impact of these attacks is profound, with potential breaches of sensitive information and financial loss. Mitigation strategies, such as employing advanced email filtering, using secure QR code scanners [3] [5], and educating users on the risks of scanning unknown QR codes, are essential in combating this threat. As technology evolves, so too must the defenses against such sophisticated cyber threats, necessitating ongoing vigilance and adaptation by organizations and individuals alike.
References
[1] https://www.infosecurity-magazine.com/news/60-emails-qr-codes-spam-malicious/
[2] https://securityreviewmag.com/?p=27407
[3] https://menews247.com/from-qr-code-to-compromise-the-growing-threat-of-quishing/
[4] https://blog.talosintelligence.com/maliciousqrcodes/
[5] https://www.intelligentciso.com/2024/11/19/from-qr-code-to-compromise-the-growing-threat-of-quishing/