Threats

What is Quishing?

If you are a cybersecurity practitioner wondering: 'Is anything trustworthy these days?', don't add QR codes to the list. Of course, in a 'zero-trust' digital world, nobody would expect QR codes to be an exception to the rule, but recent cyber threat trend reports have observed an uptick in social engineering attacks leveraging fake QR codes. The U.S. Postal Inspection Service has also issued a warning along with an educational video about quishing attacks, highlighting the seriousness of this threat at the governmental, corporate, and individual citizen levels. Furthermore, Israeli Cyber Intelligence provider Perception Point reports a 427% increase in quishing attacks from August to September 2023 and an almost 8% increase in the prevalence of malicious QR codes during the same period.

For many, scanning QR codes has become a routine day-to-day convenience for many tasks such as making payments, gaining access, confirming appointments, or simply accessing more information. Therefore, many folks will not suspect an email asking them to scan a QR code for things like resetting a password, confirming a delivery, or accessing a shared work document, and this is something attackers are taking advantage of more often. 

Let's learn the basics about quishing attacks and what measures you should take to mitigate the risks of falling prey. 

What Are Quishing Attacks?

Quishing (or QR code phishing), leverages QR (Quick Response) codes to trick victims into visiting attacker controlled resources, where they are further tricked into revealing sensitive information or downloading and installing malware. In quishing attacks, cybercriminals generate custom QR codes that direct users to fraudulent websites or initiate malware downloads when a victim scans them. These codes can be distributed through various channels, including emails, social media, printed materials, or by placing stickers over existing legitimate QR codes in public places or on signs that don't have QR codes on them already.

Quishing builds on a wide spectrum of social engineering attacks such as malspam, phishing, spear-phishing, smishing, and vishing, and more. Quishing has become more prevalent due to the widespread use and familiarity of QR codes in everyday life, leading to unwarranted trust by users. The increasing adoption of QR codes by businesses and consumers alike makes them an attractive target for cybercriminals looking to exploit this vector. 

How Do Attackers Use Quishing Attacks?

Quishing attacks are primarily used to steal sensitive personal information, credentials, or to trick users into installing malware. Enticing offers like gifts or discounts can add additional social engineering weight to the content. Quishing can leverage the same motivating factors as other social engineering attacks such as authority, urgency, scarcity, curiosity, familiarity and trust, consensus or social proof, sympathy, reciprocity, commitment and consistency, reward and greed. 

Here are some innovative methods that attacker use to distribute fake QR codes:

  • Social Media: Scammers can initiate quishing attacks via social media spam messages containing a QR code pointing to a malicious resource. It's important to carefully consider who you communicate with on social media and enable privacy protections to reduce access to your information. 

  • Malspam and phishing: Attackers can send unsolicited SMS text messages (known as smishing) or email messages that contain their malicious QR codes. Parcel delivery and government agencies are commonly used in phishing attacks to create a sense of urgency or authority. 

  • Posting Physical Signs: Bad actors may post physical signs in public locations with enticing messages that could be highly contextual to the location where the signs are posted, or offer free or heavily discounted products.  This may attract unsuspecting individuals to scan the QR code sending the to an attacker controlled resource. 

  • Overlaying Existing Legitimate Physical Signs: Cybercriminals may also overlay their malicious QR codes on top of legitimate signs, such as advertisements or informational signs in high traffic areas. Especially if a QR code is already built into the sign, an attacker can covertly overlay it with their own malicious QR code without raising suspicions. This attack becomes especially powerful if used when people are expecting a QR codes to be present adding to their level of trust. 

What Are the Potential Consequences of Quishing Attacks?

When quishing attacks succeed, the consequences for the victim can be severe. By deceiving individuals into scanning malicious QR codes, attackers gain access to a wide array of personal information. 

Here are some ways stolen data in quishing attacks can be misused:

  • Fraudulent Purchases: If attackers gain access to credit card details, they can make unauthorized purchases. Victims may not realize these transactions have occurred until they review their bank statements or receive alerts from their financial institutions.

  • Unauthorized Access: 90% of quishing attacks were found to be credential phishing attacks which often included attempts to gain multi-factor authentication (MFA) one-time-passcodes (OTP) from the victim. Once these credentials are stolen, attackers can gain unauthorized access to the victim's personal, financial, or work accounts, change passwords, lock out the legitimate user, and potentially access sensitive or proprietary corporate information.

  • Identity Theft: By assembling enough personal information, attackers can assume a victim's identity to commit a wide range of crimes that can include renting properties, securing loans, or even committing crimes under the victim's name. A stolen Social Security number can be used in numerous fraudulent activities, from identity fraud to filing for tax returns.

  • Spear Phishing Attack Context: Attackers can also use a small amount of personal information as a springboard for more sophisticated, targeted attacks. This method, known as spear phishing, involves crafting highly personalized messages that appear even more legitimate and convincing. This can manipulate the victim into divulging more extensive and sensitive information, thereby escalating the scope and impact of their fraudulent activities.

How Can You Protect Yourself Against Quishing?

Preventing quishing involves several measures, such as being cautious of unsolicited QR codes, verifying the source of the QR code before scanning, verifying the destination domain to ensure it is legitimate and not a spoofed or typo-squatting domain, and using security solutions that can detect and block malicious QR codes.

Most importantly, organizations should regularly conduct phishing simulations to evaluate staff susceptibility to quishing and other social engineering attacks. These assessments help identify vulnerabilities in security practices and awareness levels among employees. The results can guide targeted training programs and adjustments in security protocols, ultimately strengthening the organization's overall defense against sophisticated phishing schemes. Regular testing not only familiarizes staff with the tactics used by attackers but also reinforces the importance of vigilance in everyday operations.

Other means for preventing quishing include:

  • Be Cautious Of Unsolicited QR Codes: Always be skeptical of unsolicited QR codes, whether they appear in digital or physical formats.

  • Check For Visual Cues Of Tampering: If you dare to scan a QR code from a publicly posted sign, be critical of its authenticity and especially look for visual cues that the sign has been tampered with. 

  • Verify QR Code Source and Destination: Before scanning a QR code received in an email, verify the sender's email address domain, and the destination domain the QR code redirects you to, especially if it leads to sensitive transactions or data entry.

  • Use Security Software: Implement security solutions that can detect and block malicious QR codes. These can include some malware scanning products with extended protection features to detect malicious websites, mobile security applications, or browser extensions that use cyber threat intelligence to deliver real-time threat analysis of Internet destinations.

  • User Awareness Training: Organizations should educate their employees about the risks associated with QR codes and train them to recognize the signs of quishing attempts.

Conclusion

Quishing attacks are a significant threat and growing trend that are finding their way into our inboxes and also exist out in the real physical world. The fact is that we should not have  ubiquitous trust in QR codes.  Quishing scams are seeking to take advantage of unsuspecting victims who are used to the convenience that QR code technology offers.  

A healthy dose of skepticism is warranted not only during critical transactions, but also in less risky day to day activities when considering how quickly cyber attackers can pivot from seemingly innocuous transactions to high value ones. By understanding where attackers are using quishing in the wild, individuals and organizations can better protect themselves from these deceptive attacks.

Featured Posts

See All

February 04 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.

Packetlabs: One of the Top 5 Best Penetration Testing Companies

December 25 - Blog

Packetlabs: One of the Top 5 Best Penetration Testing Companies

It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104