Experts Advise Caution Before Scanning QR Codes


Searchdepo.com is reader-supported and the following article contain affiliate links, When you buy through links on our site, we may earn an affiliate commission.

Quick Response Codes are very convenient when visiting websites, downloading applications, or viewing menus at restaurant. That’s why they have become a tool for bad actors to steal credentials and infect mobile phones, as well as to invade corporate networks.

“We are seeing an exponential uptick in targeted attacks against mobile devices, many of them phishing attacks,” observed Kern Smith, VP for Americas pre-sales at Zimperium, a mobile security company headquartered in Dallas.

He told us that “a large majority of phishing websites are targeted at mobile device,” he said. “The attackers know that mobile devices have the highest vulnerability to phishing attacks, so they do it.”

He said: “QR-phishing, also known as quishing, is an excellent attack vector because attackers can easily distribute QR codes. Many corporate antiphishing systems don’t scan QR codes.

Reliaquest, an automation company that specializes in security, cloud security and risk management, with headquarters in Tampa, Fla. noted in a report published recently that it had seen a 51% increase in the number of attacks quenched in September compared to the total for the eight previous months.

This spike can be attributed to the growing popularity of smartphones with QR code scanners built-in or free scanning applications. Users often scan codes without giving it a second thought.

Phishing is a part of the epidemic

Shyava Tripathi, a researcher in the Advanced Research Center of Trellix, maker of an extended detection and response platform in Milpitas, Calif., noted that phishing is responsible for over a third of all attacks and breaches.

She told TechNewsWorld that QR-code-based attacks were not new, but have become more prevalent in sophisticated campaigns targeting consumers and businesses. Trellix detected over 60,000 malicious samples of QR codes in Q3 alone.

Quishing is currently high on the agenda for many organizations, asserted Steve Jeffery, lead solutions engineer at Fortra, a global cybersecurity and automation company. “It is a risk which can bypass existing security controls.” He said that the protection depends on whether the recipient understands the threat and does not fall for the bait.

He continued by saying that clicking on malicious URLs was still one of the biggest risks for account takeovers. He cited data obtained from Fortra’s PhishLabs, which showed that in Q2 2023, more than three quarters of all credential theft emails contained links pointing victims to malicious sites.

“Quishing is just an extension of phishing,” he said. “Instead a hyperlink, the attacker uses QR codes to deliver the URL. Since most email security software cannot read the QR codes’ contents, it is difficult for these messages to be intercepted, which is why this type of attack has become more prevalent.

Quishing Credentials

Mike Britton, CISO of Abnormal Security, a global provider of email security services, agreed that quishing is a growing problem. He cited Abnormal’s data, which found that QR codes are used in 17% of all attacks to bypass spam and junk filtering.

He said his company’s data shows that phishing for credentials accounts for 80% of QR code-based attacks. Invoice fraud and extortion are the other two top attack types.

He continued: “Unlike traditional email attack, there is minimal text and no obvious malignant URL.” This reduces the amount signals that can be analyzed by traditional security tools in order for them to detect and catch an attack.

“Because QR codes can evade human detection as well as detection by traditional security software, they tend to work better than traditional attack types,” said he.

QR Threats embedded in Websites

Randy Pargman, director for threat detection at Proofpoint, an enterprise security company in Sunnyvale, Calif., maintained that the number one reason malicious actors prefer QR codes over regular phishing URLs or attachments is because people who scan QR codes usually do so on their personal phone, which probably isn’t monitored by a security team.

He explained that QR Code phishing is difficult to detect as the phishing link is not easy to extract from the QR codes. He continued that the most benign email signatures include logos, embedded links to social media outlets, and QR codes pointing to legit websites.

“The presence of a QR Code is not a sure sign that phishing has occurred,” he said. “Many legitimate campaigns use QR code, which can allow malicious codes to blend in with the background noise.”

Nicole Carignan, vice president for strategic cyber AI at Darktrace, a global cybersecurity AI company, added that the increased use of QR codes in phishing attacks is the latest example of how attackers are pivoting to embracing techniques that can thwart traditional defenses with greater agility and efficiency.

Best Practices to QR Code Safety

Carignan noted Darktrace research that found quishing attacks often include highly personalized targeting as well as newly created senderdomains. This makes it more difficult for traditional email security systems to detect the emails, which rely on signatures or known-bad lists in order to detect malicious activities.

“The most common social-engineering technique that is used with malicious QR codes, is to impersonate internal IT teams. Specifically, emails claiming the users must update their two-factor configurations,” said she. When setting up two-factor verification, most instructions ask users to scan QR codes. As a result, attackers are now replicating this process to evade secure email solutions.

There are many technological solutions to address potential QR-code attacks. However, a simple rule can be sufficient for many people.

“When we tell people about the best practices for QR codes, you can start by asking yourself if this QR code is in a place that a bad person might post it. advised Christopher Budd, leader of the X-Ops team at Sophos, a global network security and threat management company.

“If I’m walking through the food court in a mall, and there’s a sign that says, ‘Save 20% on all stores today. Scan the code. If I see this, I won’t use the QR code. I don’t even know who put the sign there,” 

“When you talk about QR codes,” said he, “you need to know its source and trust it.”