QRcode use as phishing bait grows

Sheila Zabeu -

October 28, 2021

QRcode, which are becoming popular as a way to make payments, access Web pages, or even menus more quickly, are increasingly being used as bait for attempts to steal Microsoft credentials and other user data. Between the months of September and October, Abnormal, which offers email protection solutions, identified and blocked nearly 200 messages in a phishing campaign against company customers that attempted to collect Microsoft credentials.

What’s new this time is that the messages contained QRcodes that supposedly gave access to a voicemail, but were actually bait to collect personal data. This type of attack has been dubbed “Quishing”.  According to Abnormal, the QRcode images had been created on the same day they were sent, making it difficult to recognize them by any security blocklists. In total, six profiles were used to send the campaign messages. In addition, the attackers used compromised email accounts, exploiting the target organization’s legitimate Outlook infrastructure to send the messages.  

This campaign had a previous version that used a URL behind an image that appeared to be an audio file. However, the tactic was detected and identified as a threat by cybersecurity services. The way out was then to use QR codes in the second round of attempts.

This technique had already been identified by business brokerage Better Business Bureau, which issued a warning about the use of QRcodes in email attacks – as they cannot be interpreted by the human eye, they have become an effective way of disguising malicious links. When receiving an email or even a message on social networks or via SMS, the user will almost certainly read the code with the mobile phone camera, which will then open a link to a phishing site. All it takes is a few seconds for personal information or login credentials to be passed on to the fraudsters.

The Better Business Bureau gives some tips on how to avoid scams involving QRcodes:

  • Confirm the source: Even if it comes from an acquaintance via email or social media page, contact the person before reading the QR code. That individual may have had their credentials stolen.
  • Don’t read QRcode coming from strangers: Even if it promises amazing things, don’t fall for the bait.
  • Be wary of short links: If a short URL appears when the QRcode is read, it will not be possible to identify where you are being directed.
  • Be on the lookout for possibly tampered advertising materials: Some scammers alter legitimate ads by inserting QRcodes.
  • Install a QRcode reader with security features: Some antivirus companies offer QRcode reader applications that check the security of the respective link before opening it.

Privacy warnings

In an article on his blog, Eric Rescorla, chief technology officer of the Firefox browser, highlights privacy issues related to the QRcode. During the pandemic, this technology gained popularity for allowing, for example, menus to be read, without having to handle the potentially contaminated paper version.

Understanding how the QRcode works are key to learning how to ensure privacy. It is simply a way of encoding information such as URLs into a mobile phone camera-readable format that, in most cases, automatically opens the browser to the respective page.

We can not say that the problem is with the QRcode because it is a static element, but with the web pages to which it points and that may be full of tracking mechanisms, mainly in the form of cookies. In the case of a QRcode used for menus, for example, the destination website may be more than just a menu and may already accept orders and store the consumption preference. Depending on how the webpage is developed, user behavior can be tracked across multiple restaurants to build a picture of consumer eating behavior.

It is obvious that our behavior on the Web has been tracked for a long time and by various methods. However, there is a simple way, according to Rescorla, to escape the possible surveillance of these pages. We can open the pages in the browser’s private mode to create a temporary session, causing the browsing history and data associated with the session, among them, those such as cookies, to be deleted when the session is closed. According to Firefox’s director, most QRcodes are not currently directing users to sites that want to track them, but for those who value privacy, and even security, it is worth protecting themselves. Besides, you never know how long this more naive scenario regarding privacy and the use of QRcodes will last.