Cloud email security company Abnormal identified and blocked nearly 200 emails sent to their customers between 15th September and 13th October 2021. These emails were all part of a phishing campaign that used malicious QR codes to steal Microsoft 365 credentials.
By using the QR codes, scammers were able to circumvent the URL scan feature for attachments in traditional email gateways. Furthermore, as all QR code images were created on the same day they were sent out, they were not previously reported and could therefore easily slip past the security blacklist.
How were the Scammers Distributing Malicious QR Codes?
Initially, fraudsters weren't using QR codes in their phishing emails but would instead hide an URL link behind an image of a .WAV audio file.
This, however, was soon picked up and identified as a threat by security services so the scammers had to change tactics.
They then turned to QR codes for their second attempt as they replaced the .WAV file with a malicious QR code which they placed in line with the email body.
While scams involving QR code images that hide malicious links to phishing websites are a pretty common phishing tactic, what's different and novel about these is that this is the first that actual QR codes were used and embedded in phishing emails.
Abnormal Security Director of Threat Intelligence Crane Hassold said:
We've seen actors use fake QR codes in the past - QR code images that are in reality hyperlinks to a phishing site - and we've seen actors use QR codes out in the real world to try and get people to go to a malicious website, but this is the first time we've seen an actor embed a functional QR code into an email.
The question, however, is since a QR code cannot be opened like an attachment or clicked like a URL link, how were the threat actors intending to get victims to fall prey to their scheme?
One way would be:
- The user receives an email on their desktop system with a quick response code in it and opens it
- They then scan the QR code using the camera in their mobile phones
- The QR code then sends them to a phishing page similar to a Microsoft login page
- Finally, they enter their login details into the phishing page
Better Business Bureau Warns Users About Malicious QR Codes
The Better Business Bureau (BBB) has sent an alert in July this year about scams using quick response codes designed to send people to phishing pages where scammers can steal their sensitive information.
According to the BBB, the QR codes make the emails appear more legitimate and therefore the users are more likely to take an action on them.
For instance, one user reported that they got a fraudulent letter about student loan consolidation that contained a QR code that linked to a phishing page similar to the Studentaid.gov website.
How to Protect Yourself From QR Code Scams?
QR code scams, also known as "Quishing" are a good indication of how phishing operators are constantly evolving.
These allow scammers to avoid the typical security platforms as they can disguise malicious links as QR images, while at the same time appearing more legitimate.
The scheme also abuses the fact that it's very easy to scan a QR code using the camera on your mobile device as all you need to do is point the camera at the QR code and poof! you're sent to a phishing website designed to steal your personal information.
How to avoid a QR scam?
There are several things you can do to avoid a scam like this:
- Has someone you know sent the QR code? If so, first confirm it with them directly before you scan the QR code
- Was the code sent by someone you don't know (a stranger)? Don't open unsolicited emails from strangers no matter what they promise you
- Does the code look like it comes from a reputable and legitimate source (a government agency for instance)? Carefully examine the email address it came from. Does it look different from the real address used by the organization? If so, don't scan the code or do anything with the message and instead let them know
- Use QR scanners that offer extra security features. For instance, you can use NeoReader, which can help you detect malicious attachments and URLs hidden as QR codes.