'Quishing': That QR Code You Scan May Be Malicious

The next time you scan a QR code from an unknown source, especially on a PDF document shared via email, watch out for possible malicious intent by a threat actor. According to a recent report by cybersecurity company Sophos, attackers are using "quishing"—a portmanteau of "QR code" and "phishing"—attacks to target employees at organisations.

In a quishing attack, emails are designed to look authentic and have a QR code in them. They could have lucrative subject lines such as "2024 financial plans", "remittance arrived" or information about "employment benefits". The emails also create a false sense of urgency by highlighting "This document will expire in 24 hours," warranting immediate actions from users.

When a user scans the QR code via phone, targets are taken to a phishing page that resembles a Microsoft 365 login dialog box but may actually be controlled by the attacker.

Sophos said these attacks recently targeting many of its employees, "one of whom was tricked into giving up their information". In Sophos' case, the phishing page compromised both login credentials and multi-factor authentication of the employee.

Although QR codes are a machine-readable encoding mechanism that can hold a wide range of data, including binary data and lines of text, most people know them as a rapid means of sharing a uniform resource locator.

However, in contrast to a URL in plain text, those in QR codes are less likely to be scrutinised. It can be difficult to closely examine the URL because it may only be visible for a few seconds before the app hides it from view. Also, threat actors may employ URL redirection mechanisms that hide or disguise the link's final destination when it is displayed in the camera app's interface.

Also, because QR codes are typically scanned by mobiles, traditional defences—like URL blocking on a desktop/laptop with endpoint protection software or a firewall that prevents opening of malicious web addresses—don't work. The result is malicious URLs end up bypassing device security.

Sophos said that such quishing attacks are rising both in terms of volumes and sophistication. The company also reported that some QR codes in recent quishing documents fraudulently used the branding of Docusign, an electronic contract signature platform, for social engineering tactics to trick users.

To deal with quishing attacks, users and organisations should be watchful of subject lines such as "2024 financial plans", "benefits open enrolment", "dividend payout", "tax notification" or "contract agreement", Sophos suggested. Organisations should also monitor risky sign-in alerts, install advanced email filtering mechanisms and enhance employee vigilance and reporting.