Phishing Scam Uses QR Codes in Attacks on Energy, Other Sectors
A months-long phishing campaign that uses QR codes to bypass security controls is aimed at stealing Microsoft account credentials of victims at targeted companies in a range of industries, with one major energy firm getting inundated with almost a third of the 1,000 of the “quishing” emails the threat actors sent.
The campaign, which was first detected by researchers with cybersecurity vendor Cofense in May and has been averaging a month-over-month growth rate of more than 270% emails, highlights the growing use of QR codes by hackers in the wake of the pandemic.
“Historically, QR codes are not a popular choice due to the limiting nature of how QR codes are interacted with,” Nathaniel Raymond, a threat intelligence researcher with Cofense, wrote in a report, nothing that there has been an overall 2,400% increase in QR codes in emails since May. “However, they have several advantages over a phishing link embedded directly in an email.”
Phishing emails delivered via QR codes have a better chance of getting into a victim’s inbox because the phishing link is hiding inside the QR image, which itself is embedded inside a PNG image or PDF attachment, Raymond wrote.
Limits and Benefits of QR Codes for Phishing
However, they’re limited in how a user interact with them, with scanning limited to whatever mobile device is being used. In addition, the devices give the users a look of the link embedded in the QR code and asks the user if they want to go to the link, he wrote.
That said, an advantage is that using a mobile device to scan the code puts it out of reach of many enterprise security protections.
“Cofense has not historically seen large malicious campaign(s) utilizing QR codes,” Raymond noted. “This may indicate that malicious actors are testing the efficacy of QR codes as a viable attack vector.”
That would make sense. The use of QR codes spiked during the pandemic, when restaurants and other businesses used them regularly rather than handing out traditional menus.
“QR phishing is on the rise because people got used to scanning QR codes during the pandemic for digital menus, contactless payments, and event check-ins,” Mika Aalto, co-founder and CEO at security awareness training company Hoxhunt, told Security Boulevard. “Social engineers are always looking for new ways to trick people into engaging with them, and QR phishing is emerging as a handy attack vector.”
The FBI in 2022 issued a warning about the use of QR codes to steal data and Robar Ismail, a security consultant with security firm Mnemonic, wrote earlier this year that “the use of QR codes in phishing attacks became prominent around 2019 and the techniques and tactics used have continued to evolve since then.”
“There is a noticeable rise in phishing emails that exploit QR codes, bypassing email protections, and it is important for organizations to fully grasp the risks associated with these attacks,” Robar wrote.
Microsoft last month outlined five common QR code scams ranging from phishing and package delivery schemes to others involving payments, cryptocurrency, and donations.
Looking for Microsoft Account Credentials
In the campaign tracked by Cofense, the US energy company was the top target of the bad actors, though other targets were in such industries as manufacturing (receiving 15% of the emails), insurance (9%), technology (7%), and financial services (6%).
“Most of the phishing emails contain PNG image attachments delivering Microsoft credential phishing links or phishing redirects via an embedded QR code, with the majority of them being Bing redirect URLs,” Raymond wrote. “Email lures came in the form of updating account security surrounding 2FA [two-factor authentication], MFA [multifactor authentication], and general account security.”
While the energy company received 29% of the overall emails, it saw 81% of the messages in which Bing redirect URLs were being used.
The phishing emails spoof security notifications from Microsoft, including telling victims to scan a QR code to update security settings in their accounts or add 2FA or MFA to it. The messages ramp up the urgency by telling the users they have two to three days to do this.
While 26% of the malicious links embedded in the QR codes were Bing redirect URLs, though there also were domains associated with Salesforce applications and Cloudflare services.
Raymond wrote that the “tactic of encoding phishing links in redirects and sending the victim’s email with it is not new. What is important to note is that aside from hiding in QR codes, threats are abusing a trusted domain to carry attacks. Abusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes.”
Hoxhunt seemingly observed the same campaign, with Aalto noting the Microsoft security message and adding that “upon scanning, victims are redirected to a credential harvesting site personalized to the recipient’s place of business engineered to steal their business account login credentials.”
The trend in the campaign has been a steady ramp up since May, though a spike in late June coincided with the bulk of the phishing emails being sent to the energy company, a possible testing and development phase in the attacks, he wrote.
Aalto said organizations need to continue training employees to be think before they click on a QR code or anything else that lands in their inboxes, including checking the sender’s domain and looking for suspicious links.
In addition, SlashNext CEO Patrick Harr that “it’s important to have mobile protection against malicious links, because given the proliferation of QR codes in our daily life, it’s becoming impractical to avoid them completely.”
