Quick-response (QR) codes are convenient and easy to use in everyday life to access information and navigate to websites. Unfortunately, cyber threat actors continue to take advantage of the increased adoption of QR code scanning, as users are typically quick to scan QR codes without a second thought and are unaware of the potential risks. Threat actors impersonate trusted organizations or entities, such as postal services, file-sharing services, applications, cryptocurrency wallets, human resources departments, and information technology departments. They use legitimate software tools and QR codes that appear genuine or official but may be tampered with, directing targets to phishing websites and fraudulent payment portals to steal sensitive information, login account credentials, or funds. QR code phishing (quishing) campaigns can also deliver malware, ransomware, or trojans that automatically download, infiltrate devices, and launch further attacks. QR codes may be embedded in Adobe PDF, Microsoft Word, HTML, attached images, or directly in the body of the email. In the past several months, reports of quishing attacks increased as sophisticated techniques evolved to bypass traditional security measures.

Microsoft Sway is a cloud-based content creation tool that sends newsletters, presentations, and other interactive content. Threat actors leverage Microsoft Sway to deliver malicious links leading to QR codes that, if scanned, direct users to a phishing page to harvest Microsoft account credentials. They use document lures and target North American and Asian users in information technology, critical manufacturing, and financial services. The NJCCIC’s email security solution has observed similar campaigns with business-related lures, such as payments, invoices, and order themes. Concerningly, users must log in to Microsoft Sway accounts to access legitimate content and may also trust phishing content.

Additionally, most QR codes are JPG files and may bypass detection tools despite many security vendors’ ability to detect and block these image-based threats. In a separate campaign, threat actors use Unicode text characters instead of images to create QR codes that can bypass traditional security measures. This Unicode quishing technique uses text-based codes that smartphone cameras can easily read, with the same code appearing differently in plain text.

Quishing continues to evolve as threat actors use two trusted platforms, Microsoft SharePoint and online QR scanning services, to evade detection. In the “Quishing 2.0” attacks, threat actors spoof a domain or impersonate a familiar contact and attach a PDF file with a purchase order lure in the email. The attachment contains a QR code to be scanned to view the entire purchase order. It also includes a physical address of the impersonated contact to appear legitimate. If scanned, the target is directed to a genuine QR code scanning service, displaying that it was scanned successfully with a button to skip the advertisement. If the button is clicked, the target is directed to a legitimate Microsoft SharePoint page containing a URL file with the purchase order number. If clicked, the target is redirected to a fraudulent Microsoft OneDrive page containing purported scanned invoices overlayed with a login prompt to steal credentials.

Although information technology, critical manufacturing, and financial services were targeted in the previous campaigns, all sectors and organizations should remain vigilant with the rising threat of malicious QR codes. For example, threat actors target education with approximately 15,000 daily messages containing QR codes, including phishing emails, spam, and malware. These QR codes may also be found in flyers, forms, and other official communications. Additionally, threat actors can target users utilizing personal devices without endpoint security to gain access to organizations.

Recommendations

• Confirm the QR code is legitimate before scanning it, particularly in unsolicited messages or public places, especially with company-issued equipment, services, and software.
• Refrain from scanning QR codes that have been physically or digitally tampered with.
• When in doubt, manually type a known and trusted URL (obtained from official sources) into the browser.
• Provide personal or financial information or transfer money to only legitimate and verified websites.
• Regularly update your mobile device and its apps.
• Use strong passwords and enable multi-factor authentication (MFA) on your accounts.