Phishing attacks that leverage QR codes are increasing both in volume and sophistication, cybersecurity experts have warned.
Attackers use so-called quishing – a combination of “QR code” and “phishing” – to steal corporate credentials from mobile devices, according to Sophos, a UK-based software security and hardware company.
The firm discovered evolving quishing techniques after several of its own employees were targeted in a recent campaign, with one of them being tricked into revealing sensitive information.
In June this year, attackers emailed a PDF document containing a QR code to multiple targets within Sophos. The emails were crafted to appear authentic and sent from compromised legitimate non-Sophos email accounts, the company said.
The subject lines of these emails were also made to appear as if originating from within the company as a document that was emailed directly from a networked scanner in the office.
According to Sophos, when the targets scanned the QR code using their phones, they were directed to a phishing page that looked like a Microsoft365 login dialog but was controlled by the attackers.
The page was designed to steal login credentials and MFA responses using a technique known as adversary-in-the-middle (AiTM), where a threat actor attempts to obtain a user’s session cookie to skip the authentication process and act on the user’s behalf.
Red flags
Sophos said that quishing emails sent to its staff had several red flags, including a mismatch of the attachment filename in the body, missing text in the subject and body, and a sender name that does not match the usual corporate format.
However, this was not enough to trigger suspicion, and the attack “successfully compromised an employee’s credentials and MFA through this method,” the firm said.
“The attacker then attempted to use this information to gain access to an internal application by successfully relaying the stolen MFA token in near real-time, which is a novel way to circumvent the MFA requirement that we enforce,” it added.
According to Sophos, this type of attack is becoming “more commonplace” among its customers, who send samples of novel quishing PDFs targeting specific employees at their organizations “every day.”
Cybersecurity experts also said that quishing documents now appear more “polished” and “refined” than those seen initially at the beginning of the summer.
“Because QR codes are usually scanned by a secondary mobile device, the URLs people visit can bypass traditional defenses, such as URL blocking on a desktop or laptop computer that has endpoint protection software installed, or connectivity through a firewall that blocks known malicious web addresses,” Sophos said in a blog post detailing the campaign.
“We in the security industry generally teach people resilience to phishing by instructing them to carefully look at a URL before clicking it on their computer. However, unlike a URL in plain text, QR codes don’t lend themselves to scrutiny in the same way,” it said.
Your email address will not be published. Required fields are markedmarked