Part of the struggle in combating cyberattacks is that threat actors never stand still. Constant evolutions in tactics and threats attempt to outwit cybersecurity controls, strategies and training programs. A new threat gaining traction over the last year or so is QR code phishing. This article examines the use of QR codes in phishing along with some security tips for mitigating this threat.
QR codes aren’t a new technology; in fact, their use stretches as far back as 1994, when a Japanese automotive company began using them to track their inventory of car parts. QR (or quick response) codes are special barcodes that store data both horizontally and vertically, which means they can hold a lot more data than typical barcodes (the maximum capacity stands at 4,296 alphanumeric characters).
Smartphones and other digital devices can easily scan QR codes and read the data stored inside them. Formerly, smartphones required dedicated apps to scan QR codes, but most manufacturers began equipping new models with QR code scanners midway through the 2010s.
Initial use cases among customers were mostly limited to scanning a QR code to download a mobile app or connect to a Wi-Fi hotspot. The adoption and popularity of these codes tapered off to a fairly low level. However, the COVID pandemic sparked a huge resurgence in their use as restaurants, cafes and other service businesses sought ways to continue normal business activities while reducing physical contact between people.
Then, as vaccination campaigns gained traction worldwide, many countries started using QR codes to verify the vaccination status of individuals. These codes are now ubiquitous in many layers of society, from civil services to customer-facing businesses.
The resurgence of QR codes didn’t only pique the interest of technology journalists and commentators—threat actors were also quick to take note. While susceptibility to traditional phishing emails remains high, people are getting better at recognizing the flags that indicate suspicious emails. This accuracy improves further when businesses incorporate simulated phishing exercises into their security training and awareness programs.
QR codes provide a way for adversaries to diversify their phishing tactics. Often, the telltale sign detected by targets of phishing emails is a strange URL leading to a malicious website. But QR codes enable threat actors to mask the URL so that an unsuspecting user scanning the code gets taken to a malicious site without any indicator of malice that’s discernable by the naked eye.
Furthermore, increasingly advanced email filtering solutions powered by artificial intelligence have high levels of accuracy in detecting suspicious links in emails. These solutions flag URLs and filter phishing emails before they arrive in user inboxes. The functionality of many such solutions does not extend to QR codes, so QR phishing provides a route around advanced email security tools.
While email is the main potential mode of delivery for QR code phishing (or “quishing”), it’s not the only one. Another way these scams can work is when threat actors strategically place malicious QR codes. They might overlay an existing QR code on a restaurant menu, advertisement or noticeboard with a malicious code in an effort to take advantage of the implicit trust sparked by the widespread use of these codes.
It’s worth a brief run-through of some real-world incidents to see what sort of victims have been targeted with QR code phishing so far and what the consequences were.
December 2021 saw a news story highlighting German mobile banking users being targeted by QR code phishing scams. These scams involved crafting convincing emails purporting to be from one of two German banks. Each email contained logos and coherent messaging that was in line with previous communications issued by the banks.
Inside each email was a QR code along with an instruction to consent to data privacy changes or other relatively benign and non-urgent actions. The QR code linked to a malicious URL where unsuspecting users inputted their banking login credentials. This campaign cleverly eschews the normal (and easily detectable) routine of attempting to create urgency by informing victims they’ve been locked out of their accounts.
Another notable incident two months prior to the German mobile banking scam was a campaign targeting Microsoft 365 users. Using a single compromised Microsoft 365 account, threat actors sent emails to employees of the same company that apparently included a voice message. In order to listen to the recording, employees were instructed to scan a QR code, which led them to a login page asking for their Microsoft 365 credentials.
Most likely, access to the initial compromised account came from stolen credentials bought on the dark web or leaked from a previous breach. But if that account didn’t have many privileges, threat actors may have used this tactic to compromise higher-level accounts to move laterally and gain more privileges.
QR code phishing scams are likely to become more prevalent—the FBI even issued an advisory early in 2022 warning about the threat. Here are some suggested ways to improve defenses against QR code phishing scams:
Continuously monitoring your environment to detect and respond to threats is a challenging task for security teams who are busy trying to shore up defenses and deal with other tasks. Managed detection and response (MDR) provides dedicated cyber threat monitoring and rapid incident response from expert security pros.