In addition to classic email phishing and SMS phishing on mobile devices, the misuse of QR codes, which are used to lure users to obscure sites, is also spreading. If QR codes come to the victim via e-mails, it is called quishing. This is an increasing problem, as I have noticed. Here is some information about a situation that a reader brought to my attention this week.
Advertising
A "suspicious" spam mail
Tobias has contacted me this week on Twitter about a strange spam mail he received. The SPAM mail contained a QR code and the request to take a picture of this QR code via smartphone camera. This scans the QR code and displays the link it contains.
The text says, that a document shall be downloaded via the displayed link received from the scan of the QR code. The message give instructions on how to download and access the document. The fact that dangerous links can be hidden behind QR codes should be known to some web users by now. Since a "download of a document" was announced in the SPAM mail, the red warning lights should actually go on for every recipient.
The strategy of the spammers is simple. The QR code allows links to be hidden and the senders hope to slip through the spam detection filters. Antivirus software doesn't detect the malicious links within the QR code.
How does it look in the current case? Tobias wrote that the link leads to the website of the Spanish specialist for sea containers Luger and suspects that this website has been hacked.
I briefly checked the website on Virustotal, at least the domain should be clean. How it looks with deep links, I can not judge, because I do not have the phishing email with the complete QR code.
Tobias did not immediately follow up on the case, but only posted the whole thing on Twitter. A Twitter user then wrote in response that they had been seeing this type of email for a while. What is being attempted here is not an attack on the smartphone, but the tapping of logins, i.e. phishing.
Advertising
In a follow-up message, Tobias wrote to me that he had carried out a test after discussion on Twitter. In the specific case, an "Office 365" screen was briefly opened there via popup. He suspects that the credentials for Office 365 accounts are grabbed on this site.
I find it strange, because I would have expected a document signed with DocuSign for download based on the screenshot. In my opinion, such spam mails with QR codes can be both:
- A phishing attempt, where the QR code leads to a phishing page, where credentials are then to be grabbed.
- An attempt to lure the user to a malicious website via the QR code, where malware is then offered in the form of a document or app download.
Another user then went on to reply that their organization receives such emails "in the style of a Microsoft MFA registration" and writes that quishing is a growing problem. He then linked to the Malwarebytes blog, where a post explains the term quishing. Quishing is phishing with QR (quick response) codes.
This brings me to the question to the readership at this point, how do you deal with this issue? Do security solutions now include filters to read QR codes and thus detect malicious URLs? QR codes are increasingly appearing in invoices and other documents, and there is a risk that users will be lured to malicious sites via a URL.
Advertising