Caution, Quishing: Criminals use QR codes for phishing attacks
by Tina Siering
What is Quishing and why is it so dangerous?
The word quishing is made up of the two terms "QR" (Quick Response) and "Phishing". It is a phishing attack in which you are prompted in an email to scan a QR code with your smartphone. If you comply with this request, you are redirected to a fraudulent website.
A quishing email has many characteristics that are also known from phishing attacks. For example, cybercriminals pretend that there is an immediate need for action due to a security problem. In the message, they also threaten you with negative consequences that will occur if you do not take action immediately. On the target page, in turn, you are supposed to enter your credentials, which then go directly into the hands of the scammers, or download documents that compromise your smartphone with malware.
While a conventional phishing email lures the unsuspecting user to the fake page via a link, quishing does this via a QR code embedded as an image. And that is precisely what makes this method so dangerous: security programs can only identify suspicious attachments and URLs as possible threats, but not images. Consequently, virus scanners classify quishing emails as harmless and do not move them to the spam folder.
At the same time, the probability that a user will actually scan a fraudulent QR code is relatively high. The QR code is widespread in our digital world and is considered a practical solution for accessing information from the Internet in a straightforward manner using a smartphone. It is also a smart way to perform security queries across devices. For example, some banks use QR codes to obtain approval for a bank transfer by cell phone. During the Covid 19 pandemic, traders were able to check their vaccination status via a QR code scan. So we're all already used to scanning QR codes on the screen and see them as trustworthy.
Quishing in practice: This data is particularly interesting for fraudsters
Hackers have already exploited the trust in QR codes for their criminal activities several times in the recent past. Particularly popular are scams that target access data for Microsoft Office 365 accounts. These can often be used to attack other accounts of the same user.
For example, in October 2022, fraudsters sent quishing emails in the name of the financial services company Wells Fargo. These contain the message that a payment has been made and a PDF attachment with the file name "Wellsfargo_ACHCOPY.pdf". Anyone who opens the PDF file is shown a blurred invoice with a QR code above it. After scanning it, the user is taken to a manipulated, deceptively real-looking Microsoft Office 365 login page, where they are supposed to enter their user data in order to view the invoice.
And Microsoft 365 cloud applications have already been the target of quishing scams before. At the end of 2021, for example, media reported on a campaign in which cybercriminals had replaced a phishing URL with a QR code in order to bypass virus scanners. At that time, users were supposed to enter their login data after scanning a prepared Microsoft 365 page in order to listen to a voicemail.
How to protect yourself from quishing
Even though e-mail spam and virus protection do not screen out quishing e-mails, you are still not helpless against the cybercriminals. If you adhere to the following recommended actions, you can significantly increase your protection against quishing attacks:
1. Perform a plausibility check.
Even before you open an e-mail, you should critically question whether it could be a phishing message. You should always be careful if you do not know the sender and the subject does not make sense to you or puts you under pressure. If there is also a file attached, you should delete the e-mail immediately - and without taking a closer look at the message. 2.
2. Keep your operating system and virus protection up to date
Security updates are the be-all and end-all for effective protection against cyber attacks. Therefore, make sure that you always update both your operating system and all applications in a timely manner. Use the automatic update services and websites of the software manufacturers to ensure that you do not miss any security updates. This is the only way to close critical security gaps quickly.
3. Set up multifactor authentication
If you do fall for a quishing email and reveal your credentials to fraudsters, it's only half as bad if you've previously protected your user account with multifactor authentication (MFA). This is because MFA requires two or more credentials for a successful login. Most often, this is a combination of a password and another login factor based on a security question, biometric features, or a physical object - such as a smartphone. Without this additional authentication, your password is useless to quishing fraudsters.
4. Use an early attacker detection solution.
Allgeier secion's Active Cyber Defense (ACD) service monitors all systems on your network - regardless of their operating system, device type or logging capabilities. In addition to servers and desktops, it also includes smartphones, IoT, ICS, OT, BYOD and third-party devices in the monitoring, for example. Unlike virus programs, the Managed Detection and Response (MDR) service identifies potential attackers independently of malware or signatures. It checks at the network level for potential attacker communication to Command & Control servers and whether compromise has occurred.
Since Allgeier secion's IT security analysts monitor your IT infrastructure around the clock, suspicious cases are uncovered immediately after a compromise has occurred and reported to you immediately if action is required. This gives you enough time to initiate targeted incident response measures in good time and avert major damage.
Conclusion
At the latest since the Corona pandemic, smartphone users of all ages have become accustomed to QR codes. Hackers exploit the great trust we place in the little squares for their criminal purposes by sending phishing emails with QR codes. The tricky thing about this is that conventional virus scanners do not assess QR codes as a security risk, so a quishing e-mail is not classified as suspicious and lands in your inbox.
You can still protect yourself by critically examining e-mails, securing online accounts via multifactor authentication, and installing security updates promptly. However, the most effective protection against the potentially serious consequences of a quishing attack is provided by Allgeier secion's Active Cyber Defense (ACD) service: The Managed Detection and Response (MDR) service relies on proactive early attack detection and integrates all systems and devices within your network into the monitoring without exception - including smartphones. In the event of an emergency, the ACD team informs you at an early stage and thus protects you from data theft and extortion.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.