Don’t call it quishing: QR code phishing on the rise

There’s a new trend emerging in cybercrime, AT&T warns – embedding malicious QR codes into phishing attempts. The attack has been dubbed “quishing,” but the term isn’t getting any love among the cybersecurity community on Reddit.

Some users recently received an email from Microsoft with a curious attachment – a PDF file containing a QR code and an urgent message instructing users to setup multi-factor authentication (MFA).

Once the users scanned the QR code, they were redirected to a fake Microsoft sign-in page on their phone. Here, they entered their legitimate login credentials, such as usernames and passwords, which were then stored and made available to the threat actor.

The AT&T Managed Detection and Response (MTDR) security operations center has reported a notable increase in emails with QR codes over the past several months. Unfortunately, numerous users fell victim to the attack and their credentials were compromised.

malicious QR code

“This type of attack is called “quishing,” AT&T writes.

However, it seems like many cyber pros have had enough of this method of naming new types of attack. The term became the most discussed topic this week in the Cybersecurity subreddit.

“It's too damn early for me to be raging about "quishing," so here. Do it for me. (...IT'S JUST PHISHING WITH QR CODES!! STOP IT WITH THE WEIRD NAMES!” the discussion headline reads.

The cyber lexicon is already making blue teams sound like they’re from a different planet when trying to protect organizations. Some are afraid that they’ll have to expand their vocabulary, which is already filled with zero-day malvertising ransomware sniffing and scraping Personal Identifiable Information, or PII.

“CompTIA (issuer of professional certifications) can’t wait to add this term to their exams.”

“I'm studying for Sec+, and they are making me irrationally angry,” the subreddit steamed.

Other network-dwellers were quick to come up with even more precise descriptors:

  • Sqrshing – malicious QR codes sent through text.
  • Vquishing – quishing over voicemail.
  • Acrobuzzing – inventing new acronyms and buzzwords to be more mysterious to common folk.

“Didn't you hear? Karen in HR quished again... Bro, someone whaled (attack targeting high-profile individual) the CEO and he quished all of his PII on the world wide web… Thank you for coming to the meeting today. So, after today's test campaign, the phishing was reported very well, but we had a lot of failed quishes...” one cyber pro tried to imagine real-life applications.

Protect yourself from quishing: don’t scan QR codes

Attackers often encourage their victims to act quickly in the hope of convincing them to forgo proper security practices. Scanning QR codes can be even more dangerous than clicking on malicious links, as phones are often less secure than the rest of the company’s network, AT&T explains.

“Phishing attacks and credential harvesters have been in use for some time. However, as the use of QR codes becomes more commonplace, take care to verify the domain that a QR code is associated with before you scan it. Additionally, avoid scanning the QR code with your mobile device. Typically, there are fewer security measures in place on a mobile device than on a network-connected corporate device,” the company’s researchers suggest.

In cases when attackers manage to acquire credentials, users should immediately close all active sessions for compromised services prior to any credential resets. This is critical, since the threat actor will retain access to the user’s account until they are completely logged out.

And lastly, don’t use the word “quishing” when looking for help to remediate any problems.