Ddos 
A new wave of phishing attacks is leveraging the widespread use of QR codes to deceive victims and steal their credentials. Unit 42 researchers have observed that attackers are increasingly embedding phishing URLs into QR codes, a technique known as “QR code phishing” or “quishing.” This method entices users to scan the codes with their smartphones, which can lead to unknowingly accessing phishing sites.
Traditional phishing attacks often rely on obvious links or buttons within emails or documents. However, attackers are constantly evolving their strategies. The use of QR codes to deliver phishing URLs represents a significant shift. By embedding malicious URLs in QR codes, attackers make it more difficult for traditional scanning engines to extract the actual URL from phishing documents.
A QR code is a machine-readable image that can store various types of information, including URLs. Users can easily scan these codes with their smartphones’ camera applications. The camera app then typically assists in opening the URL in a browser. In a phishing context, this seemingly convenient process becomes a threat.
Attackers are crafting phishing documents that instruct potential victims to scan QR codes, which increases the likelihood of users accessing phishing URLs on their personal devices.
Personal devices often have weaker security controls compared to corporate devices. As the report highlights, “accessing the URL on a personal device could bypass corporate security measures like email gateways and web filters.” This makes quishing a particularly effective technique for attackers seeking to evade detection.
The Unit 42 report details several sophisticated techniques employed in these QR code phishing campaigns. These include:
- Phishing URL Redirection: Attackers often avoid using direct phishing URLs. Instead, they use URL redirection mechanisms or exploit open redirects on legitimate websites to mask the true destination.
- Human Verification: Attackers are incorporating human verification mechanisms, such as Cloudflare Turnstile, to evade security crawlers and make their redirects more convincing.
- Credential Harvesting: The final stage involves attackers collecting credentials on fake login pages that mimic legitimate service providers. In some cases, these fake login pages even pre-populate the user’s account or email address to appear more legitimate.
These QR code phishing attacks have been observed across various industries, including medical, automotive, education, energy, and finance, and are widespread in the U.S. and Europe.
The Unit 42 report emphasizes that phishing attacks and social engineering tactics remain significant threats and continue to evolve. The emergence of quishing demonstrates the adaptability of attackers in leveraging new technologies to exploit user behavior and security vulnerabilities.
Donate