The Threat of QR Code Phishing

Posted by Trevagh Stankard on Thu, May 5th, 2022

QR codes are incredibly popular and pretty convenient to use, so much so that almost 84% of smartphone users have scanned a QR code at least once, and over 34% scan a QR code once a week. Cybercriminals love popular technologies and focus on them to scam, hack, cause malware infection, and so on. This popularity has led to a rise in “QR code phishing”: in January 2022, the FBI issued a warning about QR codes, highlighting their use for data phishing. Here is how hackers use QR codes to hack your corporate network and how you can prevent QR codes from causing security incidents.

Types of QR Code Phishing Scams

QR codes work by embedding instructions into a black and white dot-based image. They work a little like the barcodes you see on food in a store. A smartphone camera, app, or QR code scanning device scans the QR code. The scan then translates the data into human-readable information. QR codes usually contain web links or links to media such as videos or links to download an app. This use of links in a QR code provides a cybercriminal with the opportunity to perform phishing.

There are a few variations on the QR code scam theme doing the rounds:

Quishing (QR-Phishing)

Quishing is a mashup of QR codes and email phishing. The fraudsters embed a malicious QR code into a legitimate-looking email. A recent example of a quishing attack was a Microsoft Office 365 phishing campaign that used QR codes to steal log-in credentials. Researchers identified spoof Office 365 emails that offered access to missed voicemail messages by scanning a QR code. Scanning the QR code took the user to a fake Office 365 page, which requested credentials to gain access to the message.

QR codes are also being used in various regular scam types, such as tax scams. The UK tax department, HMRC, recently added support for QR codes on their website. However, fraudsters have now used this new feature as a basis for a new QR code tax phishing scam. The spoof HMRC email asks the recipient to scan the code to pay overdue tax. The QR code takes the taxpayer to a spoof site where their financial information is then stolen.

QRL Jacking (Quick Response Code Login)

This is an older version of the more recent Quishing scam, but one that has phishing implications. QR codes are very convenient for users, and some companies have extended this convenience to their log-in systems, where users scan a QR code to log-in to an account. In QRL Jacking, an attacker navigates to a legitimate site, initiating a session and generating the QR code to log in. The attackers then capture this QR code (for example, using screen scraping) and places this legitimate QR code on a spoof site.

The attacker then uses spear-phishing to target an individual, tricking them into going to the spoof site.

The target then uses the captured QR code to log-in; this logs into the original session, thus logging the attacker into the legitimate account.

This scam is more challenging to carry out as it is time-sensitive; however, it will be worth the effort if this is a high-value or sensitive account.

QR Crypto-quishing (QR Code cryptocurrency scams)

QR codes are often used to make it more convenient to download a legitimate app. However, they can be used to encourage people to download malicious apps, including crypto-wallets. For example, the QR crypto-quishing scam involves capturing persistent consent (prior authorization) to use the wallet; this allows the fraudster to drain the wallets of cryptocurrency.

Drive-by-QR Code Phishing

Drive-by-downloads of malware are one of the most insidious forms of malware infection. A person must land on an infected site, and a flaw in any software they use can open the door to malware infection. QR code phishers take advantage of drive-by-download opportunities by sending phishing emails with QR codes that take the recipient to an infected website: one scan of the code and their mobile device may become infected with a trojan.

Ways to Prevent QR Code Phishing

QR code phishing is designed to evade detection by conventional security products. However, phishing and other scams, including QR code phishing, can be stopped by applying a series of layered and advanced solutions. The following systems act together to stop the QR code phishing cycle:

1. Train your employees: begin the prevention of QR code phishing success by educating your workforce. Use regular, behavior-based security awareness training to train employees on the perils of QR code phishing. Also, ensure that you include QR code phishing templates in your simulated phishing exercises so employees understand what these phishing emails look like and the different methods used to steal credentials and other data.
2. Use a DNS filter: this will break the phishing cycle by stopping users from navigating to a malicious website. The DNS filter creates a ‘blocklist’ of URLs, using a dynamic system based on a “threat corpora”, based on the data from millions of subscribers. These data are used to train Machine Learning algorithms. The result is that even emerging malicious URLs are spotted and added to the blocklist.
3. Apply email filters: email filters such as SpamTitan use multiple mechanisms to catch difficult to detect phishing messages. These mechanisms include advanced AI-based algorithms to spot difficult to detect spam.

QR codes are one method in a long line of phishers' favorites. No matter what technology comes along, fraudsters will find a way to exploit it if it is popular. Moreover, a single-point solution cannot capture all possible cyber-attack scenarios. Clever attack chains require a creative response, comprising a mix of security awareness training with advanced AI-enabled spam and content filers.  

Take our Security Training Awareness Quiz