How to stay safe from cybercriminal "quishing" attacks

QR Code scanned via phone
(Image credit: Metapixel)

Phishing has been with us since the dawn of the digital age. Or at least, when cyber-criminals first realized they could socially engineer users sitting at the other end of the internet. As tech trends come and go, it remains one of the most popular threat vectors out there. But it has also undergone subtle changes over the years, as scammers look to outsmart better user training and more intelligent email security filters.

The latest evolution in this ongoing process is the emergence of QR code phishing, or “quishing”, which is being used in active attacks designed to bypass multi-factor authentication (MFA). But like any new threat, it can be mitigated with the right blend of defensive techniques and potentially external expertise.

Tony Batten

Lead SOC Engineer at DigitalXRAID.

How quishing works

Phishing works so well because it relies on hacking the human psyche. We want to trust the stories we’re told – especially if they’re told by ostensibly trustworthy organizations or individuals. This is an admirable, but highly exploitable, trait. As technologies evolve, threat actors are continually refining the methods they use to take advantage of trusting end-users.

QR phishing is a great example. Although there are intermittent reports of these attacks dating back several years, it is in the post-pandemic present that we’re starting to see them come through en masse. Over those two years of lockdowns, we all became familiar with using QR codes to access everything from menus to medical forms in a hands-free, hygienic manner. Scammers are capitalizing on that familiarity by creating QR codes in seconds that can hand over access to email accounts.

The scam is simple. A QR code appears embedded in a legitimate-looking email from a trustworthy source, with instructions to scan. The user takes out their phone to do so, clicks through and is taken to a phishing site. It could theoretically be a site primed to install covert malware, or steal sensitive personal and financial information. But very often it is designed to harvest business credentials.

The most dangerous variations we’ve seen will take the user to a site that not only harvests their static credentials, but also captures their MFA token in an “adversary-in-the-middle” (AiTM) attack that mimics a standard MFA code input page. The threat actor is then at liberty to use and reuse this access until their MFA tokens expire, which is often set to a default of 30 days. That’s more than enough time to go hunting for sensitive data to encrypt and steal, and/or hijack accounts and invoice templates to extort more money.

Why is quishing so successful?

Quishing makes sense to a threat actor for several reasons. For one, users’ phones are usually less well protected than their desktop or laptop computers, meaning there’s more chance of bypassing corporate defenses. And in any case, those defenses may not work as intended. The QR code is effectively an image file, obfuscating the malicious URL behind it so that traditional email filters don’t extract and inspect it.

With a QR code there’s also little opportunity for recipients to inspect an email for the grammatical mistakes or spelling errors that can be a phishing giveaway. QR codes lend themselves naturally to social engineering techniques that add a sense of urgency or warn of negative consequences if the user doesn’t take action. MFA is often used as a lure: for example, an email urging the recipient to scan a QR code in order to ‘secure’ their Microsoft account, or to ‘authenticate’ so they can confirm salary details. By mimicking familiar processes, bad actors can lull their targets into a false sense of security.

Scammers may also use tried-and-tested phishing techniques to improve quishing success rates, such as hijacking legitimate email accounts within the organization and sending the scam email from there. Increasingly, campaigns use open source intelligence, gained from company websites and LinkedIn, to understand their target’s roles and adjust their emails accordingly. In particularly sophisticated scenarios, these QR phishing attempts use domain redirection, sometimes multiple times. The result is that, even when email security scanners are able to detect the malicious link in the QR code, they are thrown off the scent.

Time to layer up defenses

Unfortunately, real-world attacks are surging: I’ve seen businesses experience a 1000% increase in these account takeover attacks in a single month. To combat this, businesses need to combine stronger security controls with ongoing education. Social engineering attempts are getting harder to spot every day but combining knowledge with a safe environment for employees to report attacks, even once they’ve given over access, is invaluable.

Consider how easily Scattered Spider threat actors compromised MGM Resorts International, in a ransomware attack costing the firm at least $100m. A quick LinkedIn search followed by a vishing (voice phishing) call to an employee impersonating IT helpdesk, was all they needed to get hold of a network access credential. Better trained employees may be less likely to scan a QR code, and/or more minded to double-check with IT first.

Back this up with stronger policies around identity and access management. Mandate strong, unique passwords and discourage reuse and sharing to mitigate the risk of compromise. A powerful part of this attack method lies in bad actors stealing MFA tokens that give them an extended period of access to an account. With out of the box settings, bad actors have the time to hide unseen and wait for the best time to strike. Reduce the expiry time for MFA tokens to one week, apply intelligent security monitoring that combines contextual factors such as location, time of log in, and internet provider to determine suspicious log ins. And enforce strict policies outlining QR code usage guidelines and what to do when encountering unknown or unsolicited codes.

Where outside help comes in

However, some degree of human error is always a given, allowing attackers to gain a foothold in the network. This is where anomaly detection can help, by monitoring user activity and spotting suspicious behavior such as someone logging in from a new location and immediately creating a new inbox rule. XDR can help here by supercharging detection and response across email, network, and other layers.

Third-party extended detection and response (XDR) can be a big leg up, kitted out with the latest AI-powered quishing detection tools and able to spot attack patterns across other customers for a more rapid response. They can ensure all systems and devices with network access, including user smartphones, are integrated for advanced monitoring and speedy containment of any breach. That way, if a certain account gets a login attempt from 300 miles away, on a different internet provider, and immediately sets up an inbox rule or emails a large list of customers at once, experts can quarantine the account whilst blocking that email’s IP on a business-wide firewall. Put simply, even when phishing education and MFA fail, deep threat monitoring across networks can stop an attacker in its tracks.

Quishing is just the latest evolution in a continuous arms race between network defenders and threat actors. It’s time we updated our response accordingly.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Tony Batten is Lead SOC Engineer at DigitalXRAID.