QR-based Quishing attacks are evolving

Technology

Olesia Klevchuk at Barracuda outlines what you need to know about a long established but rapidly changing threat to cyber-security

QR, or Quick Response, codes are used widely as an easy visual shortcut to URLs. They quickly connect people to websites for special offers, further information, forms and more. They are a common and familiar feature, and this alone makes them attractive to cyber-attackers targeting potential victims.

But there’s more. QR code attacks appeal to attackers because they are difficult to detect using traditional email filtering methods. There is no embedded link or a malicious attachment to scan. Email filtering is not designed to follow a QR code to its destination and scan for malicious content. It also shifts the actual threat to a different device that may not be protected by corporate security software.

QR code phishing attacks – or “quishing” – are currently on the rise and present a significant threat to users and organisations alike. We are seeing an increasing danger around QR code attacks as they become more sophisticated, complex and harder to detect.

Organisations need to be aware of how threat actors weaponise the humble QR code, why these tactics are so effective, and how to spot and block attacks.

How QR codes are used in email attacks

Quishing attacks trick recipients into visiting malicious websites or downloading malware onto their devices. Instead of a standard phishing link, the attackers use an embedded QR code. Scanning the code will redirect the target to a counterfeit page of a trusted service to capture their login credentials.

Malicious QR codes can also be shared as a survey or competition. Scanning the code will direct users to a form asking for personal details in exchange for a potential prize.

QR codes can also facilitate malware, with the code directing the user to a website that will automatically download ransomware, spyware and any other malicious software. Codes can be used to potentially trigger actions such as following social media accounts or queuing up pre-written emails, enabling the attacker to impersonate the victim and target their contacts.

Most of these tactics aren’t particularly different from a more standard phishing attempt, but QR codes have unique properties that makes security threats exploiting their use more difficult to detect and stop.

Detecting QR code attacks poses a challenge

The first issue is that most standard email security tools aren’t geared towards interacting with QR codes. Whereas conventional phishing attacks use embedded links or malicious attachments, QR codes are essentially images. This means they often bypass detection mechanisms looking for threat signatures.

The attack will also usually shift to a different device, such as a mobile phone scanning the QR code. This further complicates detection as the device may not be under the protection of enterprise security software.

The convenience of scanning QR codes also poses problems, and most users would find it hard to distinguish between legitimate and malicious QR codes. Even individuals who are trained to be suspicious of standard email links and attachments may take a QR code at face value, especially if the attacker has crafted a compelling phishing email.

These challenges mean that conventional email filtering and security software are insufficient against the rising tide of QR code phishing attacks. Organisations must look beyond traditional methods to effectively identify and mitigate these threats.

AI can detect quishing attacks

AI and image recognition technologies offer a promising solution for the challenges in identifying QR code-based attacks. Unlike traditional methods relying on threat signatures, AI-based solutions analyse multiple factors, such as the sender’s details, content, image size, and placement. Even if the QR code is difficult to assess, AI can determine the context around the message to identify malicious intent.

AI-powered analysis can rapidly scrutinise email content to identify inconsistencies that may signify a phishing attempt. Image recognition can further analyse the QR code to detect anomalies or manipulations the human eye might miss.

User education is an extra layer of defence

While these technological solutions are crucial, and the right security tools should catch most incoming quishing attempts, education and awareness will empower users to act as another line of defence.

Employees should be equipped to identify the most common tactics and to exercise caution by thinking twice before scanning a code. Ultimately, staff should learn to treat QR codes as potential threats in the same way as unexpected links and attachments. This means taking a moment to verify the source of the code and reporting any suspicious activity to the IT or security team.

Futureproofing email security

As long as QR codes remain popular, threat actors will increase their efforts to exploit the technology.

However, there are steps that organisations can take to detect and block them. Advanced, AI-powered email security solutions focus on contextual factors so that there is a high chance of reliably identifying a malicious email, no matter how the threat is disguised. In this way organisations can futureproof themselves against threats and close security gaps as tactics continue to evolve.

Olesia Klevchuk is Director, Product Marketing, Email Protection at Barracuda

Main image courtesy of iStockPhoto.com