Jeremy Fuchs is the Content Marketing Specialist for Harmony Email & Collaboration. Previously, he worked at Avanan, which was acquired by Check Point in 2021. In another life, he was a sportswriter, spending four years at Sports Illustrated.
Recently, we’ve seen a lot of news about Quishing — or QR Code phishing. This is when the link behind a QR code is malicious, but the QR code itself is not. There was a report of a major U.S. energy firm targeted by a QR phishing code. Other reports have noticed an uptick in these types of attacks.
In fact, Harmony Email researchers have found that nearly all of our customers have been targeted with a QR code-based attack. That coincides with a 587% increase in QR code attacks from August to September.
Why are these trending upward? They seem innocuous enough, just those friendly QR codes that we use to scan menus.
But they are a great way to hide malicious intent. The image can hide a malicious link and if the original image isn’t scanned and parsed, it’ll appear as just a regular image.
And because end-users are accustomed to scanning QR codes, getting one in an email isn’t necessarily a cause for concern.
Below is an example of a typical QR-code phishing attack. In these types of attacks, hackers create a QR code that goes to a credential harvesting page. The “lure” is that the Microsoft MFA is expiring, and you need to re-authenticate.
Though the body says it comes from Microsoft security, the sender’s address comes from a domain that has nothing to do with Microsoft.
Once the user scans the QR code, they will be redirected to a page that looks like Microsoft’s, but is in fact just a credential harvesting page.
Techniques
Hackers have been using scanned documents in order to hide text for a long time. Historically, a typical attack would work like this: There would be an image with the text and that would bypass some language analysis tools.
To combat that, you needed Optical Character Recognition or OCR. OCR converted images to text to understand them.
Hackers then found another thing to get around that, which was a QR code.
In order to combat these attacks, it’s a little trickier. You need to add the OCR into a capability to detect QR codes, translate them to the URL that hides behind the code and run that through URL analysis tools.
For us, we’ve been protecting against QR code exploits for a number of years and have deployed these protections within just a few days. It’s an example of how we, at Check Point, think philosophically. It’s all about having different tools in order to respond to changes in the attack landscape on a dime. We don’t always know what direction hackers will go in next. But we do have the foundational tools to combat them, from being inline, to wrapping URLs, emulation tools, opening encryption and more.
When an attack vector gains steam, like QR codes, we can look at our deep repository of tools and capabilities to build a solution in no time at all.
For QR codes, we use our QR code analyzer in our OCR engine. It identifies the code, retrieves the URL and then tests it against our other engines. In fact, the existence of a QR code in the email message body is an indicator of an attack. Once OCR converts the image to text, our NLP is then able to identify suspicious language and flag it as phishing.
QR code phishing is the latest trend taking the cyber security world by storm. And it’s only increasing, requiring diligence from end-users and new solutions from vendors.
Want to learn more about QR codes and phishing? Join us for our webinar on November 8th!
RSVP here.
Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.