QR code vulnerabilities: new techniques

Issue 6 2023 Information Security, News & Events

In the ever-evolving landscape of cybercrime, threat actors are constantly discovering new methods, and using them to target organisations. One such emerging threat is known as ‘quishing’ or QR code phishing. Quishing attacks usually occur via the scanning of a QR code. This technique involves tricking organisations' users into scanning a QR code using a mobile phone. The QR code then redirects the user to a phishing or fake website that aims to steal their credentials.

In the past, attackers used various types of URLs and attachments to deliver phishing emails. But, due to advanced email gateway security controls, bypassing the email gateway is not an easy task.

One of the main reasons why threat actors choose the QR code is because it is the simplest way to force a user to move from a desktop or laptop to a mobile device, which usually do not have any anti-phishing protections. Additionally, they have multiple advantages over a phishing link embedded directly in an email.

Another reason is these phishing emails are easily getting through the email security gateways because, currently, the email gateway sandbox is not capable of scanning the QR code and providing the verdict on whether it is phishing or not. Due to a lack of inspection from email security gateways, attackers are taking advantage and, more commonly, targeting users with QR code phishing techniques.

The attack begins with an email that claims the recipient must take action to update/view their organisational account settings. These emails carry PNG, JPEG, GIF, or attachments containing a QR code. The recipient is prompted to scan to verify their account. These emails also show an urgency to act within 2-3 days in the email subject, such as ‘Urgent’, ‘Important’, ‘2FA’ and more, and tricking the user by sending emails related to ‘salaries’, ‘increment’ and ‘appraisals’ etc.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Time is of the essence
Information Security
Ransomware attacks are becoming increasingly common. Yet, many individuals and organisations still lack a clear understanding of how these attacks occur and what can be done to secure their data.

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

Unmasking insider risks
Information Security
In today’s business landscape, insider risks can manifest in various forms, including data theft, fraud, sabotage, insider trading, espionage, whistleblowing, negligence, truck hijacking, goods robbery from warehouses, and more.

When technology is not enough
Information Security
[Sponsored] Garith Peck, Executive Head of Department for Security at Vodacom Business, writes about the importance of creating a cybersecurity strategy in a world where threats never sleep.

Identity verification and management trends
Technews Publishing Information Security
Insights into what we can expect from identity fraudsters and the industry next year, ranging from criminal exploitation of AI and digital IDs to multi-layer fraud protection and the need for more control over personal information sharing.

From vulnerabilities to vigilance
Information Security
It is an unfortunate reality that generative artificial intelligence (GAI) has been embraced by cybercrime organisations, resulting in drastic changes in attack methods, strategies, and technologies, says Stephen Osler from Nclose.