Reports of QR Code phishing (quishing) attacks recently increased. QR codes were invented in 1994 but became more widely used in 2020 due to the COVID-19 pandemic, when many businesses found them more useful. Common uses for QR codes consist of menus, check-in systems, and wireless payments. With the surge of QR code use in everyday life, attackers
take advantage of the increased adoption of QR code scanning by potential victims. Abnormal Security reported that executives were 42 times more likely to be targeted by quishing attempts than an average employee. Abnormal Security also found that 89.3 percent of detected quishing attacks were designed to harvest credentials, with over a quarter disguised as multi-factor authorization (MFA) requests. Often, high-level executives have access to confidential information and a heightened level of access throughout the network, making them desirable targets. The quishing messages appear to come from legitimate sources, with the attacker often impersonating companies like Microsoft or Google. Another tactic used in quishing attacks is called QRLJacking. This online attack involves a cybercriminal cloning the QR code for a login page and deceiving the user into scanning the attacker’s QR code link (QRL) rather than the legitimate QRL. These malicious QRLs are used to steal user credentials and take over their account. According to the Better Business Bureau (BBB), attackers use malicious QR codes in
several different attack vectors. Some of these common scam attempts include placing malicious codes on parking meters, as part of government impersonation and romance scams, and in HR phishing attempts . Due to their minimal text and hidden URLs, quishing attacks have a higher chance of bypassing spam filters in legacy email security systems. Adding an anomaly detection system to search for new threats can help mitigate the chances of these malicious messages being delivered to a user’s inbox.

Recommendation

The NJCCIC advises users to refrain from scanning QR codes included in emails, even those that appear to be sent from known or trusted contacts, without verifying the communication’s legitimacy. Additionally, follow the recommendations in the BBB and FBI reports to avoid falling victim to a QR code scam, including looking for signs of tampering and reviewing the associated URL before navigating to the website. Users are encouraged to educate themselves and others on this and similar scams to prevent future victimization. If victimized, users are encouraged to report the activity to the FBI’s IC3 and the NJCCIC.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.