Threat actors have started using QR codes in phishing attacks

In this day and age, QR codes have become a popular way for users to access quick information about a product or service, eliminating the need for manual searches. However, taking advantage of this convenience and the relaxed security policies in email clients, threat actors have reportedly started using QR codes in widespread phishing campaigns and targeting major US institutions.

According to Cofense, among the 1,000 emails associated with the phishing campaign, a staggering 29% were directed to a single major US energy company, while the others targeted a diverse array of sectors, including manufacturing (15%), insurance (9%), technology (7%), and financial services (6%).

Why use QR codes?

While email platforms like Gmail and Outlook have implemented robust security protocols to shield users from common phishing attacks, QR codes, often presented as image files like .PNG or .JPG, provide threat actors with a means to bypass conventional security measures. Additionally, to further elude detection, these emails employ base64 encoding for phishing links, with QR codes utilizing redirects through platforms like Bing, Salesforce, and Cloudflare’s Web3 services.

“What is important to note is that aside from hiding in QR codes, threats are abusing a trusted domain to carry out attacks. Abusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes,” reads the report.

The campaign’s modus operandi involves sending a phishing email that urges recipients to swiftly update their Microsoft 365 account settings by scanning a QR code, purportedly for account verification. Furthermore, threat actors manipulate recipients by imposing a three-day deadline to update their account settings, capitalizing on a common psychological trigger.

What is the solution?

Given the efficacy of QR codes in evading security detection, companies like Google and Microsoft will need to develop new ways of scanning QR codes for phishing links. Additionally, Cofense recommends comprehensive employee training to recognize signs of phishing attempts, including emails that pressure immediate action and landing pages that diverge from official designs.