SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Rising trend in 'quishing' attacks targets QR code users
Mon, 13th Nov 2023

ReliaQuest has unveiled a new blog underlining rising trends in cyber attacks that target QR code users, a practice dubbed as 'quishing'. An analysis report on their customer incidents shows a 51% spike in this specific type of cyber phishing trend during September 2023, contrasting sharply with the cumulative figures for the preceding months from January to August.

The report goes on to detail that these quishing incidents typically mimic the branding and personas of legitimate technology or banking organisations. An analysis found that over half (56%) of these emails mirror the appearance of requests for Microsoft's two-factor authentication (2FA) resets or enablement in the last 12 months. Consequently, the targets are mistakenly led to enter their Microsoft credentials, hence, leaving them vulnerable to a cyber breach.

Online banking pages were also revealed to be a prime choice for such threats - taking the second position and featuring in 18% of all quishing attacks. The targets in these incidents are duped into submitting their banking details on ostensibly believable sites. This form of cyber crime further diversified its reach by luring unsuspecting victims to open QR codes embedded in PDF or JPEG files attached to the email rather than in its body, which made up 12% of these cases.

Unfortunately, these attempts could easily bypass email filters designed to flag malicious messages, as these filters often rely on scanning clickable elements. This craftily reduces the chances of such messages being flagged, proving a formidable challenge to counter this evolving cyber threat.

While these attacks might sound obscure, QR code phishing has carved its niche in the cyber crime landscape, ReliaQuest says. As the use of QR codes becomes ubiquitous, there's been a simultaneous increase in quishing cases, which is firmly implied by data showing references to quishing on major cybercriminal forums surpassing the total figure of 2022 even before the conclusion of 2023.

According to ReliaQuest, the potential losses from falling prey to a quishing attack vary from serious financial losses resulting from the exfiltration of banking login credentials, issues of malware deployment, operational disruption, and/or data loss. Given the increasing sophistication and the looming threats posed by such attacks, more aggressive, proactive, and versatile defences need to be developed and deployed.

The use of tools like ReliaQuest's GreyMatter Phishing Analyzer (GMPA), a system that can deconstruct and analyse encoded URLs found in QR codes, offers a glimmer of hope. However, to ensure a comprehensive approach against this rising menace, enterprises need to leverage a multi-pronged strategy that includes consistent education and training for staff, phishing simulation exercises, and implementing stringent email inbox rules, and above all, coming up with innovative ways to keep evasive threats like quishing at bay.