New techniques help malicious QR codes evade detection
Threat researchers at Barracuda have uncovered two new techniques being used by cyber attackers to help malicious QR codes evade detection in ‘quishing’ attacks.
Quishing is a form of phishing that involves the use of QR codes embedded with malicious links that, when scanned, redirect victims to fake websites designed to steal their credentials or other sensitive information.
Analysts have found the techniques in attacks by leading phishing-as-a-service (PhaaS) kits Tycoon and Gabagool.
The Gabagool attackers were implementing split QR codes in a fake Microsoft ‘password reset’ scam. This technique involves splitting the QR code into two separate images and embedding them close together in an email. To the human eye it looks like a single QR code. However, when traditional email security solutions scan the message, they see two distinct and benign looking images rather than one complete QR code. If the recipient scans the image, they are directed to a phishing website designed to steal credentials.
The Tycoon PhaaS was using a nesting technique to wrap a malicious QR code around a legitimate QR code. The toxic outer QR code pointed to a malicious URL, while the inner QR code leads to Google. This technique is likely designed to make it harder for scanners to detect the threat because the results are ambiguous.
“Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners,” says Saravan Mohankumar, manager, threat analysis team at Barracuda. “Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures. It’s an area where integrated, AI-powered protection can really make a difference.”
To defend against these threats businesses should consider supplementing their security with mail protection that integrates multimodel AI capability to detect rapidly evolving threats.
You can read more on the Barracuda blog. Have you encountered a quishing attack? Let us know in the comments.
Image credit: Sepy67/Dreamstime.com