Gadget

‘Quishing’ is coming for your QR codes

A new type of threat called “quishing” has emerged, as cybercriminals use fraudulent QR codes to bypass the phishing security measures put in place by companies.

The trend has been identified by Sophos, a global leader in solutions for defeating cyberattacks, in a new research report from its Sophos X-Ops division.

This fraudulent QR code, embedded in a PDF document attached to an email, takes the form of a message about payroll, employee benefits, or other forms of official paperwork a business might send to an employee. Because QR codes are not readable by computers, the employee must scan the QR code using their mobile phone. 

The QR code links to a phishing page, which the employee may not recognise as malicious since phones usually are less protected than a computer. The goal of the attackers is to capture employees’ passwords and their multi-factor authentication (MFA) tokens in order to access a company’s system by bypassing the security measures in place.

“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” says Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document. 

In addition to social engineering tactics, the quality of emails, attachments and QR code graphics, these attacks seem to be growing in terms of organisation as well. Indeed, some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes. In addition to features such as CAPTCHA bypasses or the generation of IP address proxies to bypass automated threat detection, these criminal organisations provide a sophisticated phishing platform that can capture the credentials or MFA tokens of targeted individuals.

To encourage organisations to better protect systems against this type of attack, Sophos X-Ops offers these recommendations:

Despite the continuous development of new attack types, organisations can protect themselves from compromised systems by equipping themselves with the right tools, fostering a culture and work environment, and surrounding themselves with security vendors.

Exit mobile version