Miscreants have ramped up their use of QR codes to phish for credentials.
“INKY recently caught hundreds of QR code phishing emails, and while these credential-harvesting emails came from several different hackers, the similarities are clear,” company researchers said in a Fresh Phish blog post.
That shouldn’t be surprising, given the rapid rise in the use of QR codes and threat actors’ drive to exploit the latest points of vulnerability. As INKY noted, fewer than 15 years ago, most consumers (97%) weren’t familiar with QR codes, “but by 1Q22, Americas led the world in QR code usage with 2,880,960 scans, making these quirky codes an appealing path for new and sophisticated phishing campaigns.”
As Yogi Berra once observed, “’It’s déjà vu all over again,’” said Timothy Morris, chief security advisor at Tanium.
“Except this time, instead of similar-looking URLs to trick users into giving up credentials, it’s a non-human-readable QR code. Using QR codes for malicious activity isn’t new, but as the Fresh Phish report shows, it is trending in popularity,” he said.
Indeed, “QR codes are inherently untrustworthy. However, the COVID-19 pandemic brought them into use cases where they are highly trusted,” said Casey Ellis, founder and CTO at Bugcrowd. “Once you’ve gotten used to scanning a QR without thinking about it, from a security standpoint, it becomes a pretty attractive payload delivery vehicle for attackers.”
It could be argued “that using a QR code is just as risky as plugging an unknown USB stick into your device–you have no idea where it is going to lead you, what malware it might download, or what that link will look like or ask you,” said Rick Hanson, president of Delinea.
Noting that “security awareness practitioners and phishing bad actors have been in an arms race for years and will be, at least for the foreseeable future,” Georgia Weidman, security architect at Zimperium, said, “the only thing that we can truly depend upon is that, one, the phishers will try to find every possible path to deliver phishes and, two, some users will attempt to follow the phishing links.”
The ”fresh phish” observed by INKY were characterized by imaged-based phishing, Microsoft impersonation and appeared to come from inside a recipient’s organization. The messages asked the employee target to take care of an issue, perhaps setting up 2FA, verifying accounts or changing passwords. They came with a sense of urgency and were underscored with consequences if the task was not performed, whether that was avoiding being locked out of an account or being held responsible for what might occur.
The phishing message asked employees to scan a malicious code provided in the email.
In one example shared by INKY, the phish originated from the account of a digital marketing service operating in Canada, France and the United States that had been hijacked. “INKY caught 267 of these destructive little phishes,” the blog post said.
“It’s important to note that these three QR code phishing emails weren’t sent to just a handful of INKY customers,” INKY said. “They were part of a ‘spray and pray’ approach. Phishers send their emails to as many people as possible (spray) and then hope (pray) that a strong majority of recipients will fall for the ruse.”
In the examples provided by the researchers, “what appears to be email text in the examples above is something altogether different,” INKY wrote. “Malicious QR codes are just one part of the puzzle. Without the right email security in place, these dangerous messages would have gone undetected due to another known phishing tactic—image-based textual messages sent as an attachment.”
To get around secure email gateways (SEGs) and other security systems that “are designed to detect basic textual clues that signal phishing,” INKY said, miscreants have designed emails without text, instead embedding text in an email attached to the phishing email. “This works because most email clients automatically display the image file directly to the recipient rather than delivering a blank email with an image attached,” according to the blog post. “As a result, recipients don’t know that they are looking at a screenshot of text instead of HTML code with text, and since there are no links or attachments to open, the email feels safe.”
That underscores how traditional security can fall short. “The traditional network perimeter model with ingress and egress testing is simply no longer sufficient,” Weidman said. “In today’s mobile-first world, every mechanism that can deliver a URL can be used to instantiate a phish and the device itself needs to be able to detect phishing behaviors since there is no guarantee the traffic will even transit the IP network as opposed to the mobile network.”
Organizations can’t afford to ignore these attacks, as they could herald something much larger and more destructive. “These types of credential harvesting attacks are often the first stage of an attack that culminates in ransomware or data exfiltration,” said Patrick Harr, CEO at SlashNext. “This new attack technique is a reminder of how important it is to have comprehensive real-time URL protection across email, mobile, browser and collaboration apps.”
In fact, “the latest tactics, techniques and procedures (TTPs) used by attackers in their phishing emails are an evolution in response to protections we’ve built against their previous TTPs,” said Randy Watkins, CTO at Critical Start.
“Image-based phishing prevents security controls that examine the words of the email to determine intent, while QR codes prevent URL-based protections. This is a continuation of the cat-and-mouse game cybersecurity is built on,” said Watkins. “The focus should be broadened to look at the attack surface rather than just the means of delivery. While email is the most prominent vector, user-targeting attacks are starting to become multi-platform. With attackers using social media like LinkedIn and Twitter to reach out to users externally, attackers have also been directing attention toward internal communications platforms like Slack and Teams as a means of targeting the user.”