Phishing is a technique that is still commonly used by hackers even though the attack is years old. Small changes to the technique breathe new life into the phishing scheme each time. This mainly involves changing the medium. Whereas phishing was traditionally spread via email, hackers later switched to SMS (smishing) and more recently QR codes (quishing) appear to have gained popularity to spread malicious websites.
In quishing, hackers abuse the principle of QR codes. People scan these codes with their smartphones, redirecting them to the website for which the QR code was created.
The recent rise of quishing
QR codes have been around for a long time, with the first code said to have been conceived as early as 1994. However, they did not gain popularity until nearly 25 years later. This happened under the impetus of the pandemic. Mainly in the hospitality industry, physical menus began to disappear and were swapped with QR codes. That way, hospitality staff did not have to disinfect the menus before giving them to the next customer. Of course, each customer scanned the QR code with his or her own smartphone, which obviously reduced the risk of infection.
Because of the pandemic, QR codes have been normalized. Just about everyone with a smartphone will by now know how to scan such a code. Moreover, many catering establishments have not abandoned the principle, and the codes are increasingly popping up in other places as well. This is because there is a greater willingness to scan the codes now that they are no longer unknown to the general public.
Hackers spread them easily
Hackers are gratefully taking advantage of the evolution. This is partly because they are easy to spread. It is already possible to leave a code lying around somewhere in a public place, and someone is bound to be curious enough to scan it.
Additionally, they are also easy to spread through email. Even the latest mailbox anti-phishing systems usually fail to filter for such codes. Emails immediately display the QR code because it is sent as an image and not an attachment. In this way, only a vague or already known fake sender can set off the immune system’s alarm bells. That still means that this form of phishing email gets into mailboxes more easily. Now that people are also more aware of how such codes work, the willingness to scan the code has increased as well.
Deception with quishing is difficult to spot
In addition to filters in inboxes not working optimally, it is also important to note that many employees and individuals are susceptible to phishing. The likelihood of an employee falling for a phishing message does decrease when attending training. Such trainings, by the way, always follow the latest trends in the cyber world. So security awareness training already includes a guide to warn employees about quishing.
Also read: What does effective security awareness training look like?
With a QR code, the risk of the victim following the phishing link further increases. There is no attached text in the email that could indicate deception due to spelling errors, nor is the underlying URL yet visible. Victims are, therefore, more likely to assume that it is safe to scan the code.
Be aware of the following tricks
Research by Inky, a provider of email security solutions, previously proved that quishing is on the rise. This also allowed the researchers to identify some common patterns in this type of attack, which is good to keep in mind when you receive a QR code yourself.
- The email format should make it look like Microsft is the sender.
- The sender uses the company’s email address to send the victim.
- The sender says there are problems with the account, requiring the victim to log in with 2FA or a password to fix the problems.
- The request is very compelling and time-bound.
- If the request is not fulfilled, there will be consequences, such as locking the account.
- A clear request to scan the code with the smartphone.
By the way, the smartphone is an additional vulnerability of quishing. Hackers specifically ask to scan the code with this device’s camera because smartphones typically do not get cybersecurity measurements form the company. Otherwise, the unsecured, malicious website can still be blocked by the security systems that run on the computer.
More dangers to QR codes
QR codes are loved by hackers and feared by cybersecurity professionals for yet another reason. It involves a different type of attack called QRLJacking or Quick Response Code Login Jacking. Here, hackers abuse applications that allow users to log in with a QR code. Some applications choose this method because it is easy for users, but it does not come without risk.
In QRLJacking, the hackers copy the original and secure QR code from a trusted source. The hacker then places this copied code into a self-designed, malicious website. Then, the hacker sends the link in a phishing email to the victim. With this attack, there is a greater chance that the security system in the email service has already intervened and sorted the message into spam. Should the victim still click open the link and log in to the copied QR code, the hacker gets his hands on the victim’s login credentials.
So, while scanning a code with a smartphone has been a useful tool for the hospitality industry during the pandemic, the advance of the QR code does not come without danger. Since security solution providers were already updating the programs to inform employees of the dangers, it is clear that hackers are increasingly using this method. Security systems in the mailbox do not yet have good defences and easily let this form of phishing through. This explains the popularity of the QR code but also makes employees especially vulnerable to quishing.