Cybercriminals are using email-based quishing attacks to target users, according to threat researchers. At least one quishing campaign appears to be large-scale, long-running and dynamic, based on attack cadence and variations in the lures and domains the messages use.
Quishing, also known as QR code phishing, involves tricking someone into scanning a QR code using a mobile phone. The QR code then takes the user to a fraudulent website that might download malware or ask for sensitive information.
Patrick Schläpfer, malware analyst at HP, said his team has observed email-based quishing activity on an almost daily basis for months. The researchers have been tracking a particular QR code phishing campaign that first came to their attention when they noticed a series of suspicious emails with similar Word documents attached.
On closer inspection, they found each document contained Chinese text and a QR code. The message appeared to come from the Chinese Ministry of Finance -- while actually coming from threat actors -- and told recipients they were eligible to receive a new government-funded subsidy. To get their payments, the document instructed, users should use their mobile devices to scan the QR code, which would redirect them to an application form where they could submit their personal and financial information.
In another, similar attack HP uncovered, users received an email that appeared to come from a parcel delivery service, requesting payment via a QR code.
Patrick SchläpferMalware analyst, HP
The QR code, according to Schläpfer, is a way to force a user to move from a desktop or laptop to a mobile device, which might have weaker antiphishing protections. And, while the campaign the HP researchers discovered aimed to solicit individuals' financial information, threat actors could also use such quishing campaigns to distribute mobile malware and steal enterprise login credentials.
"It's very likely that QR phishing is happening at a wider scale using a variety of methods," Schläpfer said.
Email security vendor Abnormal Security previously identified a quishing campaign that used a QR code to get past email security gateways, which commonly scan text for URLs. The attack seemed to be an attempt to steal users' Microsoft login credentials, the vendor reported.
What quishing is and how it works
Quishing is a type of phishing attack in which a threat actor uses a QR code to manipulate users, typically by redirecting them to a website that either downloads malware or solicits their sensitive information.
A QR code, or quick response code, is a square barcode that compatible mobile device cameras can read. When a user scans a QR code, it often opens a webpage, although it could also trigger a phone call, text message or digital payment.
Anecdotal evidence suggests quishing attacks have increased since the beginning of the COVID-19 pandemic when a growing number of legitimate organizations started using QR codes to enable low-contact transactions. Some restaurants, for example, link QR codes to online menus, rather than providing diners with hard copies. Digital wallets use QR codes to facilitate contactless payments. As users have become increasingly accustomed to interacting with QR codes in daily life, quishing opportunities have increased.
For example, according to the Better Business Bureau (BBB), a now-common scam involves sticking fraudulent QR codes on parking meters to trick drivers into sharing financial credentials when they try to pay for parking. The BBB has warned consumers they could encounter QR code scams in emails, in text messages, on signage, on direct mail and even in person from criminals posing as utility workers or government employees.
Many quishing attacks to date have targeted individual consumers, but enterprises and their employees are also vulnerable. In particular, email-based QR phishing campaigns, such as the ones the HP and Abnormal Security researchers uncovered, could target business accounts for credential theft or malware distribution.
How to prevent quishing attacks
As with any type of phishing, the best defense against quishing attacks is an educated user base. Enterprises should provide security awareness training that includes the following best practices:
- Never scan a QR code from an unfamiliar source.
- If you receive a QR code from a trusted source via email, confirm via a separate medium -- e.g., text message, voice call, etc. -- that the message is legitimate.
- Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions -- e.g., sympathy, fear, etc.
- Review the preview of the QR code's URL before opening it to see if it appears legitimate. Make sure the website uses HTTPS rather than HTTP, doesn't have obvious misspellings and has a trusted domain. Don't click on unfamiliar or shortened links.
- Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.
- Observe good password hygiene by changing your email password frequently and never using the same password for more than one account.
Organizations should also consider additional security controls that can help combat multiple types of phishing attacks and mitigate the damage if one is successful. These include the following: