QR Code Phishing – A Growing Threat

Quishing (QR Code Phishing)

QR code (Quick Response code) phishing is a type of cyber-attack in which attackers use QR codes to trick individuals into revealing sensitive information or performing malicious actions. These types of attacks are on the rise currently, with a study by Hoxhunt Security finding that 22% of phishing attacks used QR codes in October 2023.

The same study reported that just over one-third (36%) of recipients successfully identified and reported the attack with the Hox button. More than half failed to recognise it as a threat, while another 5% of employees actually scanned the QR code or clicked a link.

QR code phishing often involves social engineering tactics to lure victims into scanning the code. For example, attackers might send QR codes via email, text messages, or social media, claiming they lead to a special offer, discount, or important information.

QR codes are two-dimensional barcodes that can store information, such as website URLs, contact details, or other data. In a phishing attack involving QR codes, attackers typically manipulate the codes to redirect users to malicious websites or perform actions that compromise their security.

How Does Quishing Work?

When a QR Code is scanned, there are multiple ways in which the user can be affected:

  • Fake Websites: Attackers create QR codes that, when scanned, redirect users to fake websites that mimic legitimate ones. These fake websites may prompt users to enter sensitive information such as usernames, passwords, or credit card details.
  • Malicious Actions: Scanning a QR code might trigger the download of a malicious app or execute malicious code on the user’s device. This could lead to the installation of malware or other harmful software.
  • Social Engineering: QR code phishing often involves social engineering tactics to lure victims into scanning the code. For example, attackers might send QR codes via email, text messages, or social media, claiming they lead to a special offer, discount, or important information.
  • Credential Harvesting: Attackers might use QR codes to initiate phishing attacks aimed at stealing login credentials. The victim might be directed to a fake login page where they unwittingly provide their username and password.
Secure your organisation
from cyber security threats

Secure your organisation
from cyber security threats

QRLJacking (QR Code Login Jacking)

QRLJacking is a social engineering method that exploits the “login with QR code” feature used by many apps and websites. It can lead to full account hijacking.

The attacker identifies an application or service that uses QR codes for authentication or account linking. This could be a messaging app, a mobile banking app, or any other service that relies on QR codes for login. The attacker tricks the victim into scanning a malicious QR code. This could be achieved through various means, such as sending a QR code via a phishing email, SMS, or through a malicious website.

The malicious QR code provided by the attacker is designed to redirect the victim’s authentication request to the attacker’s server. The victim, believing they are logging into the legitimate service, unwittingly grants access to the attacker.

Once the victim scans the malicious QR code, the attacker gains access to the user’s session or authentication token. This allows the attacker to impersonate the user and potentially gain unauthorised access to the victim’s account. With control over the victim’s session, the attacker can perform various unwanted actions, such as sending messages, accessing sensitive information, or making unauthorised transactions.

Aspires Advice

QR Code phishing, just like regular phishing, is almost impossible to fully combat. Once identified, malicious actors can just create new email addresses/QR Barcodes and continue their campaign.

The Key to staying safe from Quishing & QRLJacking, is awareness and staying vigilant. A few things which can be done are:

  • Be Cautious: Treat QR codes like clickable links. Only scan QR codes from trusted sources. Avoid scanning codes from unknown or suspicious locations.
  • Check the Source: Before scanning a QR code, check if it comes from a legitimate source. Ensure that the code is associated with a reputable brand, business, or service.
  • Inspect the URL: After scanning a QR code, check the URL before interacting with the content. If the URL seems unrelated to the expected destination or looks suspicious, do not proceed.
  • Educate Users: Raise awareness among users about the risks associated with QR codes and phishing attacks. Provide training on how to identify and avoid suspicious QR codes.
  • Implement Multi-Factor Authentication (MFA): Enable multi-factor authentication wherever possible. Even if a phishing attempt is successful, MFA adds an extra layer of security by requiring additional verification.
  • Report Suspicious QR Codes: If you encounter a QR code that appears to be malicious or leads to a phishing site, report it to the relevant authorities or the organisation it is impersonating.

In summary, QR code phishing is surging, making up 22% of phishing attacks in October 2023, according to a study by Hoxhunt Security. Shockingly, over half of recipients failed to spot the threat, with 5% unwittingly scanning the malicious QR codes. The attack’s versatility, combining social engineering, fake websites, and credential harvesting, poses a potent danger.

QRLJacking adds a new twist, allowing attackers to hijack accounts through QR code logins. As Aspires Advice rightly points out, combating these threats is an uphill battle, with malicious actors easily creating new QR codes and emails.

The antidote? Vigilance and awareness. Treat QR codes like clickable links, verify their legitimacy, inspect URLs post-scan, educate users, enable multi-factor authentication, and report suspicious codes. In a cyber landscape that evolves relentlessly, staying sharp and proactive is non-negotiable. By adopting these measures, individuals and organisations can amp up their defense against Quishing and QRLJacking.

Share this post:

Written by:

Matthew Wilson

See more by Matthew Wilson