Quishing – QR Code Phishing Attacks to Steal Credential

A QR (Quick Response) code is an image that can hold up to 7,089 numbers or 4,296 characters. Originally, QR codes were used as simple tags for tracking physical objects. In the 1990s, the Japanese car industry started using them to keep tabs on vehicles and parts during manufacturing. As technology advanced, QR codes became more versatile, allowing them to send information directly to smartphones when scanned.

A QR (Quick Response) code is an image that can hold up to 7,089 numbers Today, many tools are effective at spotting and blocking harmful links that might lead to phishing sites or malware. However, most of these tools can’t yet detect malicious QR codes, which has led cybercriminals to increasingly use them in their schemes. QR code phishing, or “quishing,” operates similarly to other phishing methods. It’s a social engineering tactic aimed at tricking people into revealing personal information, such as login credentials or financial details. Just like other phishing attacks, its main goal is to deceive individuals into providing sensitive information, including Social Security numbers, bank login details, or email passwords or 4,296 characters.

Originally, QR codes were used as simple tags for tracking physical objects. In the 1990s, the Japanese car industry started using them to keep tabs on vehicles and parts during manufacturing. As technology advanced, QR codes became more versatile, allowing them to send information directly to smartphones when scanned.

“In a clever twist, attackers have now begun crafting QR codes using Unicode text characters instead of images,” SlashNext CTO J. Stephen Kowski said. “This new technique, which we’re calling ‘Unicode QR Code Phishing,’ presents a significant challenge to conventional security measures.” What makes the attack particularly dangerous is the fact that it entirely bypasses detections designed to scan for suspicious images, given they are composed entirely of text characters. 

• In China, there were caught scammers who placed fake parking tickets with QR codes for convenient payment with the help of cell phones on parked cars.
• In the Netherlands, fraudsters used a legitimate feature of a mobile banking app to scam bank customers with QR codes.
• In Germany, fake emails containing QR codes lured eBanking customers to malicious websites under the pretext of reviewing privacy policy updates for their accounts.
• In Texas, criminals pasted stickers with malicious QR codes to the city parking meters. This way, they tricked residents into entering credit card details into a fake phishing site.
• Microsoft Sway, The cybersecurity firm said it observed a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages starting July 2024 with the ultimate goal of stealing users’ Microsoft 365 credentials. This is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the users to phishing websites.

• Creating Malicious Content: Attackers use Microsoft Sway, a legitimate web-based presentation tool, to create and host phishing pages. Sway allows users to design and share content easily, which can be exploited to create convincing fake webpages that mimic real services.

• Generating QR Codes: Once the malicious content is hosted on Sway, attackers generate QR codes that link to these phishing pages. Since Sway is a reputable service, the URLs generated might appear more trustworthy compared to other, less known domains.

• Distributing QR Codes: The attackers distribute these QR codes through various methods such as emails, social media, or physical printouts. Victims who scan the QR codes are redirected to the fake Sway pages that are designed to steal their personal information.

• Harvesting Data: When victims interact with the fake pages and enter their sensitive information, such as login credentials or financial details, the attackers capture and exploit this data.

• Legitimacy of the Platform: Microsoft Sway is a well-known and trusted platform, so URLs from it are less likely to raise suspicion.
• Ease of Use: Creating and publishing content on Sway is straightforward, making it accessible for attackers to set up phishing pages without needing deep technical expertise.
• Deceptive Appearance: The phishing pages can be designed to closely mimic real websites, increasing the likelihood that users will fall for the scam.

• The Fake Wi-Fi Network Scam: Cybercriminals place QR codes in public places, like cafes or airports, claiming to offer free Wi-Fi. Scanning the QR code connects users to a fake network, which can intercept sensitive information or redirect them to phishing sites.

• Malicious Payment QR Codes: Attackers create QR codes that look like legitimate payment requests. When scanned, these codes redirect users to fake payment pages or apps that steal financial information or install malware.

• Phishing for Personal Data: Fraudulent QR codes can direct users to fake login pages that mimic well-known services. The aim is to trick users into entering their credentials, which are then harvested by attackers.

• Malware Distribution: QR codes can link to download sites for malicious software. When users scan the code and download the app or file, they inadvertently install malware that can compromise their devices and personal information.

• Ransomware Attacks: Some QR codes are designed to lead to ransomware download sites. Once downloaded and executed, the ransomware encrypts the victim’s files and demands payment for the decryption key.

• Credential Harvesting: Attackers use QR codes to direct victims to fake authentication pages for popular services. These pages collect login credentials, which can then be used to gain unauthorized access to accounts.

• Social Engineering Scams: QR codes are sometimes used in social engineering scams where the code leads to a page that pretends to be an urgent message from a trusted entity, convincing victims to provide personal information or download harmful files.

• Verify the Source: Be cautious of QR codes from unknown or untrusted sources. If you receive a QR code unexpectedly, verify its authenticity before scanning.

• Inspect URLs Carefully: When redirected by a QR code, scrutinize the URL before entering any information. QR will often provide a preview of the link the code is pointing to. You should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method. 
• Use Trusted Apps: Some security apps can scan QR codes and check URLs for safety before you open them. These apps can help identify potential threats.

• Enable Security Features: Use web browsers or security tools that provide real-time phishing protection and block known malicious sites. Some security solutions also offer QR code scanning capabilities to check for potential threats.

• Educate Yourself and Others: Awareness is crucial. Understanding the risks associated with QR codes and phishing can help you recognize and avoid these threats.

• Be Cautious with QR Codes: Always be cautious when scanning QR codes, especially those received via unsolicited or suspicious channels. Verify the source and ensure you trust the origin of the QR code.
• Report Suspicious Activity: If you encounter a QR code or a site that seems suspicious, report it to the relevant platform or service provider. For example, Microsoft has mechanisms to report misuse of their services.
• Malicious QR codes may have poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate. 
• Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question. 

By Ahmed Azeem
Res Opera DigiSolutions

I write about how to make your Internet browsing comfortable, Data Secure, and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.