NEWS: Logpoint Acquires Muninn
Not long ago, getting an email with a QR code might have made you skeptical. But by 2023, things have evolved significantly. QR codes are now a common part of our daily lives, used for everything from checking out restaurant menus to making online payments and using public transit apps. We've become so accustomed to them that we instinctively reach for our phones to scan them whenever we see one.
However, this change in our behavior has caught the attention of cybercriminals. They're exploiting our trust in QR codes to execute more advanced phishing schemes, known as "quishing." While the basic tactics of phishing haven't changed much, quishing adds a layer of complexity that makes these attacks harder to spot. By concealing malicious links within QR codes, attackers compel victims to switch from their computers to mobile devices, which often have less robust security measures in place.
Originally created by a Japanese company in 1994 for tracking auto parts, QR codes have quickly become a global phenomenon. Inspired by the black-and-white pieces of the Go game, these codes can store and retrieve data more efficiently than traditional barcodes. The COVID-19 pandemic boosted their usage, as they offered a touch-free alternative for sharing content, replacing various forms of physical media. Today, it's not unusual to find QR codes on restaurant menus, airline tickets, and even as text-free stickers on the street, inviting curious onlookers to scan and discover their content.
Quishing attacks start with the creation of a QR code, which is then usually sent to potential victims via email. It's become quite straightforward for cybercriminals to generate these QR codes and link them to deceptive websites. The code is incorporated into an email that prompts the recipient to scan it to access specific information. A typical trick might be to offer access to an "encrypted voice message" via the QR code. When the victim scans the code, their browser directs them to a fraudulent website. A pop-up may then appear, asking for login details, which can be collected and either sold or used for additional attacks.
Some reports indicate that cybercriminals are increasingly incorporating QR codes into their schemes, giving them the opportunity to be more creative and target individuals in more unexpected places. On top of that the increasing use of QR codes has exposed a gap in public awareness about digital security. While many people are cautious about clicking on unfamiliar links in emails, the same level of scrutiny is often not applied to QR codes. This oversight can be risky; for example, if you encounter a QR code that seems out of place, like one taped to a restaurant table, it's safer to ask for a physical menu rather than scanning the code.
This issue has come to the forefront in Texas, where cities like San Antonio, Austin, and Houston have fallen victim to scams involving fraudulent QR codes on pay-to-park kiosks. The scam was first identified in San Antonio in late December and later on appeared in Austin and Houston.
While the scam has so far been localized to Texas, it has caught the attention of law enforcement agencies in other states. The Massachusetts State Police, for instance, issued a warning to local municipalities, highlighting the inherent risks of QR codes, which are often perceived as quick and convenient. Police in Framingham, Massachusetts, issued a similar advisory, noting that their city does not use QR codes, thereby eliminating this particular risk for residents.
But quishing attacks are not just targeting individuals, organizations and their employees are increasingly at risk. Email campaigns featuring QR codes are becoming a significant concern for businesses. Cybercriminals are exploiting this method to compromise business accounts, either by stealing login credentials or by distributing malware across corporate IT networks.
A significant phishing campaign active since May has been targeting a major U.S. energy company as well as various other industries, including finance, insurance, manufacturing, and tech, in an attempt to steal Microsoft account credentials. Researchers found that nearly a third of the emails in this campaign contained malicious QR codes, attached in PNG or PDF formats, asking the recipient to scan a QR code.
Historically QR codes have not been popular for phishing attacks, primarily because they limit user interaction. But scanning a QR code typically occurs on a mobile device, which places the user outside the protective measures usually provided by an enterprise environment. Additionally it's harder for people to assess the trustworthiness of a URL embedded in a QR code, and spam filters struggle to evaluate QR images in attachments, making it more likely that such emails will reach their intended targets
Be vigilant for red flags commonly found in phishing attempts, such as urgent language and emotional appeals—like invoking fear or sympathy. Before scanning a QR code, especially if it's sent by a friend or colleague, confirm its legitimacy with the sender. Consider the context: Does the message align with what you know about the person? Is it typical for them to share such opportunities? Trust your instincts and refrain from scanning until you're certain the code was sent intentionally.
Never scan a QR code from an unknown sender. If a message comes unsolicited and contains a QR code, it's best to avoid scanning it, particularly if it urges immediate action or promises enticing rewards. Scammers often employ such tactics to rush you into making unverified decisions.
Before opening a QR code's URL, take a moment to review its preview to assess its legitimacy. Ensure the website uses HTTPS instead of HTTP, is free of glaring typos, and features a reputable domain. Avoid clicking on unfamiliar or shortened links.
Be cautious if a QR code directs you to a website requesting personal details, login information, or payment. Rather than downloading an app or other content directly via a QR code, it's safer to locate and download it from your phone's official app store.
Exercise caution with shortened URLs. If a QR code leads to a shortened link, you can't be sure where it will take you. Confirm the QR code's authenticity before proceeding. Once on the website, scrutinize the URL to ensure it aligns with the expected domain and subdomain. Scammers frequently manipulate these details to make fraudulent sites appear genuine.
Lastly, be on the lookout for tampered QR codes. Scammers sometimes alter legitimate business ads or place stickers over QR codes. If you notice any signs of tampering, alert the business to verify the code's authenticity. Most businesses use durable materials like laminate or glass to protect their QR codes, often incorporating their logo for added verification.
