Beware the Square: Discover the Risks of QR Code Phishing
Context
Information security has become a priority for most of the organizations due to their awareness that information has value and must be protected. Every day, incidents impacting organizations are in the news. The violation of data confidentiality may severely impact the data subjects and/or cause financial damage to your organization, while the violation of data integrity and/or availability may cause an interruption of your business, which will have a financial impact. Information has value and the attackers mostly seeking for financial gain are aware of this.
In order to prevent themselves, the organizations implement multiple protections to reduce the risk linked to a possible information security incident, which means that it becomes more and more difficult for an attacker to get access to your information or to impact your services. With the accumulation of technical controls, the weakest link in the information security chain of your organization is the human factor.
Human Factor
The human factor is crucial in phishing because it exploits human psychology and behavior to deceive individuals into divulging sensitive information or performing a desired action. Phishers often use tactics such as creating a sense of urgency, invoking fear, or mimicking trusted entities to manipulate their targets. Unlike technical defenses, which can be systematically strengthened, human vulnerabilities are more challenging to address because they rely on awareness, education, and vigilance. Even the most secure systems can be compromised if individuals are tricked into providing access to credentials or other sensitive data. Therefore, understanding and mitigating the human factor is essential in developing effective anti-phishing strategies.
QR Code
QR codes, or Quick Response codes, are two-dimensional barcodes that store data in a pattern of black squares on a white background. They work by encoding information both horizontally and vertically, allowing them to hold more data than traditional barcodes. When a QR code is scanned using a smartphone camera or a dedicated QR code scanner, the device reads the pattern and decodes the information. QR codes are often used to easily guide a user to a website thanks to the encoded URL.
Quishing?
Quishing, or QR code phishing, is a type of phishing attack where attackers use QR code to trick individuals into visiting malicious websites or downloading harmful content. These QR codes can be embedded in emails, social media posts, printed materials, or even physical objects. When scanned, the QR code directs the victim to a fraudulent site designed to steal sensitive information, such as login credentials, financial data, or personal details or to download malware.
Quishing is particularly effective because QR codes are often perceived as harmless and are difficult to scrutinize before scanning. This makes it easier for attackers to bypass traditional security measures and exploit human curiosity or trust.
Attack Delivery
Attackers use social engineering techniques to incite victims into scanning the QR codes. The QR codes leading to malicious content may be embedded in emails used for classical phishing, malicious websites copying a legitimate one or even physically glued over legitimate QR codes which makes it nearly impossible to detect before scanning the QR code.
Here are two real life Quishing examples:
Source: Fake QR code on an electric charging station (JO de Paris 2024: Faut-il craindre les nouvelles arnaques aux faux QR codes pendant les Jeux ?)
The first example is a fake QR code glued on top of the legitimate QR code users are supposed to scan in order to charge their electric vehicule. Once scanned, the QR code brings the user to a phishing web page mimicking the legitimate charging operator's platforms to gather sensitive information such as banking details.
Source: Quishing example by proofpoint (https://www.proofpoint.com/au/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing)
The second example is a Quishing attack relying on a fake Sharepoint email. As usual in phishing attacks, the sender address is not related to the claimed identity and the content plays with the user’s emotions by concerning the employee benefits plan. The attacker’s objective is to make the user scan the QR code to land on a phishing webpage that will gather the user’s credentials.
QRLJacking
Thanks to its ease of use, QR codes are now used to log into some applications. This allows the users to enter their credentials in a more convenient way or to avoid completely to enter any credentials if they are already logged in on their smartphones.
This authentication method is hijacked by attackers to gain access to the user account using a QRLJacking attack (Quick Response code Login Jacking). First, the attacker initiates a client side QR code session to gather a legitimate QR code and includes this QR code into a phishing web page mimicking the legitimate login page. Then, the attacker tricks the user to scan the QR code to log into his account. The attacker has now access to the account.
Source: QRLJacking by OWASP (https://owasp.org/www-community/attacks/Qrljacking)
How to prevent you from QR code phishing as a user?
As a user, here are the main advices to protect yourself against Quishing:
Verify the source of the QR code: If you received a QR code by email, verify all the details just as for any phishing check.
- Is it normal to received such an email from the claimed identity?
- Is the sending email address correctly spelled and does it match the claimed identity?
- Is the email playing with my emotions to trigger a quick reaction?
Verify the URL before clicking: Read carefully the URL displayed by the QR code scanner before clicking on it to verify the match between the displayed URL and the QR code supposed provider domains. If the URL is a shortened one, be extra wary.
Verify the URL after clicking: Check if the final URL (after shortened or redirections) is still matching with the supposed QR code provider domains.
Use a password manager: Password managers store your credentials securely and check the domain before allowing you to input your credentials.
Check the physical QR codes: Verify the placement and alignment of the QR code.
How to prevent your organization from QR code phishing?
Here are the main advices to protect your organizations from Quishing:
Educate your staff: Train your employees to recognize all the forms of phishing (including Quishing) and to react accordingly thanks to security awareness sessions and materials. Thales offers comprehensive training programs to help your employees recognize various forms of phishing, including the newer threat of Quishing. Through security and awareness sessions and educational materials, Thales ensures that your staff is well-equipped to identify and respond to these threats effectively.
Implement Multi-Factor Authentication (MFA): Enable MFA (with a method that does not rely on QR codes) on the systems you want to protect. Thales provides robust MFA solutions that enhance the security of your systems. By enabling MFA with methods that do not rely on QR codes, Thales help protect your critical systems from unauthorized access, ensuring that only verified users can gain entry.
Use a password manager: Provide a password manager solution to your staff. This not only enhances security but also reduces the risk of password-related breaches, ensuring that your organization’s sensitive information remains protected.
