Quishing: QR code based second wind for phishing attacks

This clever blend of QR codes and phishing has taken the cybercrime world by storm. Cyber security decision-makers and enthusiasts need to understand this evolving threat and take proactive measures to safeguard their organisations.

In today’s article we will be exploring the following:

• What is quishing and how does it work?
• Quishing vs Traditional phishing, Vishing and Smishing
• What are the common quishing methods and techniques used by attackers?
• The challenge of detecting and preventing quishing
• Real-world examples of quishing attacks
• How the pandemic increased quishing attack levels
• What are the awareness and training solutions available to you?
• Cyber regulation is strengthening, compliance must reciprocate
• Working with the right partner

What is quishing and how does quishing work?

Quishing, a portmanteau of "QR code" and "phishing," involves using QR codes as a vehicle for cybercriminals to deceive and steal from unsuspecting victims. These malicious QR codes lead users to fake websites, run background tasks or prompt them to take actions that compromise their sensitive information. Attackers often deploy social engineering tactics to make these QR codes appear trustworthy, making it even more challenging for individuals to discern the threat.

Quishing is a modern-day twist on the traditional phishing attack, leveraging Quick Response (QR) codes as its primary vector. QR codes are ubiquitous in today's landscape, used for everything from restaurant menus to boarding passes. They have become so ingrained in our daily lives that we rarely think twice before scanning one.

So, imagine this scenario: You receive an email or message on your smartphone instructing you to scan a QR code for an exclusive discount at your favourite online store. The QR code appears legitimate, complete with the store's logo and enticing offers. You scan it, and your phone's browser opens to what seems like the store's official website, prompting you to log in to claim your discount. Unbeknownst to you, cybercriminals have cunningly embedded malicious code within the QR code which, once scanned, redirects you to a convincing but counterfeit website that closely mimics the legitimate site. The fake site prompts you to enter sensitive information, such as login credentials, payment details, or personal identification. This is not an uncommon scenario as the McAfee 2023 Consumer Mobile Threat Report reveals that bring-your-own-device (BYOD) vulnerabilities are responsible for 23% of mobile threats organisations face.

The proliferation of quishing attacks has been staggering. Cofense Phishing Defense Center’s recent quishing report reveals a significant growth in quishing attempts since May 2023. Furthermore, quishing campaigns shot up by over 270% month-to-month, and over 2,400% in total. In fact, 29% of emails targeting a range of industries contained malicious QR codes. Quishing is particularly insidious because it preys on our trust in QR codes, a technology we have grown accustomed to using without scepticism. Quishing is not just another buzzword in the cyber security lexicon; it is a genuine threat that has proven its efficacy in compromising individuals and organisations alike.

Quishing vs Traditional phishing, Vishing, and Smishing

While quishing shares similarities with traditional phishing, it operates through QR codes, which sets it apart. Quishing’s distinct feature is its reliance on QR codes, offering attackers a new avenue to exploit.

• Quishing vs Traditional phishing: Traditional phishing typically involves deceptive emails or messages that aim to trick recipients into divulging sensitive information or clicking on malicious links. These emails often impersonate trusted entities like banks or social media platforms. In traditional phishing, the primary delivery method is email rather than leveraging QR codes as the primary attack vector.
• Quishing vs Vishing: Vishing, or voice phishing, relies on phone calls to deceive victims. Scammers impersonate legitimate organisations or individuals over the phone, convincing victims to provide personal information, passwords, or financial details. Vishing is highly reliant on social engineering techniques and voice communication whilst vishing operates through QR codes and digital channels.
• Quishing vs Smishing: Smishing, or SMS phishing, involves sending fraudulent text messages to deceive recipients. These messages may contain links to malicious websites or prompt users to respond with personal information. Smishing is typically delivered through text messages whilst quishing relies on QR codes as the primary delivery mechanism.

While traditional phishing, vishing, and smishing remain prevalent threats, quishing introduces a unique and visually based approach using QR codes. Vigilance, education, and comprehensive security measures are essential to protect against quishing and safeguard organisations from its potential consequences.

What are the common quishing methods and techniques used by attackers?

Understanding the common methods and techniques employed by cybercriminals is essential. Here, we delve into the various tactics attackers use to exploit QR codes for nefarious purposes.

• Redirection: The most common method is redirection. Attackers craft QR codes that, when scanned, redirect users to fraudulent websites that closely mimic legitimate ones. These fake websites are designed to trick users into entering their credentials or personal information.
• QRL (Quick Response Login) Jacking: QRLs are a user-friendly authentication method that uses QR codes for logging into websites, applications, or digital services. Instead of employees manually entering a username and password, they can just scan a QR code with their smartphone. Although this is a convenient and secure authentication method, hackers found a way to use it to their advantage. They clone and replace legitimate QR codes and redirect login attempts to their server, gaining login details, account access and data.
• Malware infection: Malicious QR codes can be designed to initiate the download and installation of malware onto a victim's device. After scanning the code, malware is silently downloaded to your device, giving attackers unauthorised access to your files, and potentially compromising your organisation's data. Once infected, the attacker may gain control of the device, potentially using it for various malicious activities.
• Using dynamic QR Codes to change a code's data: Dynamic QR codes allow for the alteration of embedded data even after the code has been shared. Attackers exploit this feature by initially sharing a benign QR code and later modifying its destination to a malicious site. For instance, you receive an innocuous-looking QR code from a colleague that supposedly leads to a shared document. After a few days, the colleague's email account is compromised, and the attacker modifies the QR code's destination to a phishing site, putting anyone who scans it at risk.
• Hijacking account for sending purposes: In this technique, attackers compromise a victim's email account and send pre-written phishing emails to their contacts whilst logged in. This correspondence is far more likely to be clicked, opened, and engaged with. These emails may contain QR codes that lead recipients to malicious websites, further propagating the attack.
• Abusing trust in QR codes: Attackers exploit people's inherent trust in QR codes, knowing that they are often scanned without second thoughts. They craft convincing lures and convincing QR code designs to deceive victims. During and post pandemic, restaurants are employing QR codes for menus and payment. Imagine, a hacker physical sticking malicious QR codes over legitimate ones to trick unbeknownst customers.

Cybercriminals are continually innovating and devising new tactics to exploit QR codes for their malicious endeavours. As a result, organisations must remain vigilant, educate their staff about quishing, and implement security measures to mitigate the risk. Recognising the diverse range of quishing methods is a critical step in bolstering defences against this emerging cyber threat.

The challenge of detecting and preventing quishing

Quishing, with its unique blend of QR codes and phishing, presents a formidable challenge for organisations seeking to protect themselves against cyber threats. Detecting and preventing quishing attacks requires a multi-faceted approach, as attackers continually refine their tactics. Let us explore the complexities involved in countering this evolving threat.

The stealthy nature of quishing: One of the primary challenges with quishing lies in its subtlety and adaptability. Attackers leverage QR codes, a technology widely trusted for its convenience and efficiency, making it difficult for users to discern malicious intent. The stealthy nature of quishing poses the following challenges:

• Limited user scrutiny: QR codes are often scanned with minimal scrutiny. Users typically assume that scanning a QR code is a safe and routine action, making them more susceptible to deception.
• Quick execution: Quishing attacks can occur in an instant. Once a QR code is scanned, it redirects users to a malicious website or prompts them to act, leaving little time for second thoughts.
• Varied attack vectors: Cybercriminals can initiate quishing through email, text messages, physical QR codes, or even social engineering tactics, making it challenging for organisations to predict the attack vector.

What to look out for: To address the challenge of detecting and preventing quishing, organisations and individuals must adopt proactive measures:

• QR code scrutiny: Encourage users to scrutinise QR codes before scanning. Check the source, ensure it is from a trusted entity, and look for signs of tampering or alterations.
• Employee training: Implement comprehensive cyber security awareness training that includes specific modules on quishing. Ensure that employees understand the risks and know how to identify potentially malicious QR codes.
• Regular software updates: Keeping devices and applications up to date is crucial. Attackers often exploit vulnerabilities in outdated software, so prompt updates are essential.
• Two-Factor Authentication (2FA): Enforce 2FA wherever possible. Even if a user's login credentials are compromised through quishing, 2FA can provide an additional layer of security.
• Employee reporting: Encourage employees to report suspicious QR codes or any unusual activity immediately. Rapid response can mitigate the impact of a quishing attack.

Real-world examples of quishing attacks

Several high-profile quishing attacks have garnered attention in recent years. These attacks highlight the urgency of addressing the quishing threat.

• September 2011: Widely considered the first case of malicious attacks via QR codes, Russian cybercriminals used QR codes to direct victims to download trojans via fake versions of apps like Jimm and Opera. The apps then installed malware that forced their device to send texts to a premium service, costing victims $6 per message.
• January 2022: In Texas, cybercriminals attached fake QR code stickers to pay-to-park kiosks. By scanning the codes, drivers were directed to a site where they would enter their credit card information, unintentionally providing their confidential data to hackers.
• February 2022: In Atlanta, drivers found parking and fine tickets with QR codes on them. When scanned, hackers obtained confidential information.
• December 2022: In China, a quishing campaign impersonated the Chinese Ministry of Finance using an email that tricked users into thinking they could apply for a new government grant. They were prompted to scan a QR code embedded in an attached document using a mobile messaging and payment app (WeChat) and unwittingly invited hackers in.
• October 2023: Police in Northern Ireland have warned organisations to be on their guard after issuing a new Crime Prevention Notice on “quishing,” or phishing via QR code, encouraging businesses to ensure staff complete cyber security awareness training.

These real-world examples illustrate the diverse range of quishing attacks and the extensive damage they can inflict on individuals and organisations. As cybercriminals continue to refine their tactics and exploit QR codes' trustworthiness, it is imperative for organisations and individuals to remain vigilant, educated, and proactive in their cyber security measures to mitigate the risk of falling victim to quishing attacks.

How the pandemic increased quishing attack levels

The COVID-19 pandemic ushered in a new era of remote work, online communication, and digital transactions. While these changes were necessary to adapt to the global crisis, they also created fertile ground for cybercriminals to exploit vulnerabilities. Quishing attacks saw a significant uptick during the pandemic due to several interconnected factors.

• Increased reliance on digital communication: As lockdowns and social distancing measures were enforced worldwide, organisations and individuals turned to digital communication platforms like email, messaging apps, and video conferencing to stay connected. This heightened digital dependence created more opportunities for quishing attackers to target unsuspecting victims through these channels.
• QR codes for contactless transactions: The pandemic accelerated the adoption of contactless payment methods and digital menus in restaurants, which heavily rely on QR codes. People became accustomed to scanning QR codes for everyday tasks like making payments, accessing menus, or checking into venues for contact tracing. Cybercriminals leveraged this shift in behaviour to create malicious QR codes that seemed legitimate.
• Remote work vulnerabilities: With remote work becoming the norm, employees accessed corporate networks from various locations and devices. Cybercriminals exploited the security gaps in remote work setups, targeting employees with quishing attacks via email or messaging platforms. These attacks sought to compromise remote work credentials and gain unauthorised access to sensitive corporate data.
• Overwhelmed IT and security teams: The sudden shift to remote work overwhelmed IT and security teams in many organisations. They faced the monumental task of securing remote environments while adapting to new technologies and threat vectors. Cybercriminals exploited this chaotic period, taking advantage of stretched resources and delayed responses to quishing attacks.
• Targeting healthcare and pharmaceutical organisations: Healthcare organisations and research institutions played a pivotal role during the pandemic. Cybercriminals recognised the value of their data and research findings and launched quishing attacks aimed at stealing sensitive medical information, patient records, and vaccine-related research data.

The pandemic created a perfect storm for the surge in quishing attacks. The increased reliance on digital communication, the proliferation of QR codes, the vulnerabilities of remote work setups all contributed to the rising levels of quishing attacks.

What are the awareness and training solutions available to you?

As the threat of quishing continues to evolve, organisations must invest in robust awareness and training solutions to educate their employees and build a culture of cyber security.

Here, we explore various strategies and solutions available to combat quishing effectively:

• Awareness training: You need general programs that provide foundational knowledge about cyber security, including an understanding of common threats like phishing, ransomware, and data protection. You then need to support this with specialised training modules focus exclusively on quishing, educating employees on the unique characteristics and risks associated with QR codes and how to identify and respond to quishing attacks. Consider gamification as gamified and interactive training modules engage employees and reinforce cyber security best practices. Simulated quishing scenarios can help employees practice recognising and responding to quishing attacks.
• Risk assessment and management: Implementing a comprehensive risk assessment can help organisations identify, assess, and mitigate the risks associated with quishing: Conduct regular risk assessments to evaluate the organisation's exposure to cyberattacks and quishing. Develop strategies to mitigate the identified risks, including the implementation of new training, technical controls, and security policies.
• Games: Conduct simulated quishing attacks to test employees' ability to recognise and respond to such threats. These simulations can provide valuable insights into areas, employees and departments that require improvement. Furthermore, gamification can make training more engaging.
• Continuous education: Cyber security is an ever-evolving field, and staying updated is crucial. Organisations should provide ongoing training and resources to ensure employees are aware of the latest quishing techniques and best practices. Working with a tried and tested cyber security and awareness partner to deliver regular awareness and training materials is paramount.
• Reporting Tools: Implement reporting tools that make it easy for employees to report suspicious emails, messages, or QR codes. Rapid reporting can lead to a faster response and mitigation of quishing attempts.
• Employee engagement and champion programmes: Encourage employees to actively participate in cyber security efforts. Recognise and reward individuals who excel in identifying and reporting quishing attempts, fostering a culture of cyber security awareness and cyber security champions for other employees to work towards,
• Tailored awareness: Craft targeted awareness campaigns that address specific quishing-related concerns within your organisation. Tailored campaigns can resonate more with employees and drive home the importance of vigilance. You can tailor for a role, a language, tone, content and so much more when you work with TSC. Dissimilar roles within an organisation may face unique quishing threats. Tailor training programs to the specific needs and responsibilities of different departments and roles.
• Executive training: C-suite executives and senior leadership should receive specialised training to understand the strategic implications of quishing and cyber security in general. Their buy-in and understanding are crucial for the success of awareness programs.

Combating quishing requires a multifaceted approach that combines employee education, risk management, and continuous improvement. By implementing comprehensive awareness and training solutions tailored to your organisation's needs, you can significantly reduce the risk of falling victim to quishing attacks and foster a culture of cyber security awareness that permeates your entire workforce.

Working with the right partner

Quishing represents the latest threat vector that decision-makers cannot afford to ignore. To combat quishing effectively, partnering with a trusted cyber security training and awareness organisation like The Security Company Ltd. can be a game-changer.

TSC offers comprehensive solutions, including eLearning, games, digital and physical awareness materials, and tailored strategies to encourage safer behaviours and foster an overall security culture change within your organisation.

By staying informed, investing in training and awareness, and collaborating with experts like TSC, organisations can fortify their defences and navigate the shifting currents of cybercrime with confidence.

Do not wait until quishing strikes—take proactive steps to secure your organisation today.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program on quishing or if you would like a demo of our products and services ... please contact our Head of Business Development and Sales, Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.