Mike Britton at Abnormal Security explains how malicious QR codes are reshaping phishing attacks
Cyber-criminals have always been adept at exploiting the latest tech trends in their attacks and weaponising QR codes is one of their latest tactics.
The convenience and functionality of QR codes has made them a popular tool for digitally exchanging information. However, their widespread use has also opened up a new vector for phishing attacks, giving rise to QR code phishing (or quishing) attacks.
With the NCSC recently warning about the rise in these attacks, businesses need to understand how QR codes can be used to compromise their employees, and what they can do to defend against these emerging attacks effectively.
Leaders at risk from QR code attacks
Like classic phishing scams, quishing attacks usually aim to steal credentials through social engineering, where an email is sent from a seemingly trusted source and uses urgent language to convince the target to take an action.
In a quishing attack, the target is often persuaded to scan a QR code under the guise of a fake prompt, like updating an expired password or accessing a critical document. The malicious QR code will then lead them to a spoofed login page where they are prompted to enter – and ultimately give away – their credentials.
The high value of account credentials means that personnel with the broadest system access, like CEOs and senior executives, are naturally popular targets. In fact, our analysis found that members of the C-Suite were a staggering 42 times more likely to be sent QR code phishing attacks than other employees.
Other senior leadership, such as executive vice presidents and department heads, were also five times more likely to be targeted than non-executives.
We also found that smaller firms were a popular target for malicious QR codes, experiencing attack rates up to 19 times higher than other company sizes. This may be because, while they have a smaller pile of capital and assets to steal, small businesses are also less likely to have the resources for an effective defence. A novel attack method like QR phishing is also very unlikely to be covered by their staff security awareness efforts.
Our analysis also revealed that construction and engineering firms are the most likely industry to receive malicious QR code emails. While often overlooked as a cyber-crime target in favour of fields like financial services, the sector is uniquely vulnerable due to the prevalence of remote working during site visits and a historic lack of security investment.
Less surprisingly, professional services such as legal and accounting firms are the next most common target, likely due to their high levels of valuable data.
Attack vectors: MFA and document sharing
Quishing attacks largely follow the same traditional phishing playbook, where social engineering is used to manipulate an action from the victim. But when it comes to QR code phishing, cyber-criminals appear to favour two tactics.
Analysing data collected in the second half of 2023 found that QR codes were most prevalent in fake notifications for MFA activity (27% of all QR attacks) and shared documents (21%). Whatever the narrative for the malicious code, most QR attacks we see are credential phishing attempts.
MFA-themed attacks are particularly effective because they carry that all-important sense of urgency. These attacks will usually warn the victim that they will lose application access if they don’t immediately authenticate (in this case, by scanning the QR code in the email).
Likewise, fake document sharing notifications generally impersonate and spoof emails from services like DocuSign. Since most businesses use these tools for their most important and confidential documents, notifications of this nature are likely to inspire a fast response.
Removing the element of surprise
QR codes are rising in popularity among threat actors because of their ability to effectively evade many standard email security checks. The codes themselves are not malicious and cannot be readily scanned by many tools. And because malicious QR codes are typically embedded within emails from legitimate domains, those emails can continue to pass checks such as SPF, DKIM, and DMARC.
The novelty of QR codes is another one of their most dangerous attributes. As a relatively new threat vector, most personnel don’t yet have the kind of ingrained suspicion we’ve come to expect for traditional phishing emails.
Threat actors are banking on this lack of caution, so education and training are important assets in combating these QR code threats. Ensuring staff are aware of their potential risks and teaching them to use the same best practices as they would for other email attacks – like looking for urgent requests, especially around authentication, sensitive information, or financial transactions – will help reduce the danger.
Since individuals with access to a company VIP’s inbox are by far the most common targets for QR attacks, they should be the priority in education efforts.
AI-powered analysis to stop QR code attacks
As with more traditional phishing, the best defence is to prevent these attacks from reaching their intended victims at all. However, it’s becoming increasingly clear that these new phishing tactics are outpacing secure email gateways (SEGs) and other legacy email systems. These defences unfortunately were not designed to effectively detect QR code threats or analyse the code’s destination.
Enterprises must be aware that many traditional security tools will be outfoxed by novel attacks like QR codes and move towards more modern, dynamic approaches, including AI-native detection tools
AI-powered email security solutions are not only able to detect QR codes in email and parse their associated links to detect malicious destinations, they can also apply behavioural analytics to assess the email in the context of its supposed sender. Rather than relying on known threat signatures, like bad sender domains or risky attachments, the email is scanned for factors indicating a social engineering attack, like communication patterns that deviate from baseline user behaviour.
The use of QR codes in business won’t be going away anytime soon, and we can expect threat actors to continue leveraging them in their social engineering attacks.
Through a combination of continued security awareness training and modern detection tools, organisations can ensure their security posture is in a strong position to defend against today’s – and tomorrow’s – evolving threats.
Mike Britton is CISO at Abnormal Security
Main image courtesy of istockphoto.com
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543