What if a QR (Quick Response) code was shown on a TV advertising spot, and the company behind that commercial had malicious intent? For example, the QR code displayed during the AD opened your phone's browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the televised events, the outcome of that attack could have been disastrous. That is Quishing, fooling a person (or several people) into thinking something is harmless (or necessary), but the actual intent is far from innocent. The goal is to access your information, steal your bank account credentials, and more.[1]
A QR Code is a two-dimensional version of the Barcode able to convey a wide variety of information almost instantly with the scan of a mobile device. QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes so consumers can access manuals on their phones.
Businesses and consumers have accepted the QR code and trust them. How harmful can a simple QR code be? The answer to that question is that they can be very dangerous. Cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones because most desktop operating systems include phishing protection. Mobile phones are more vulnerable to those attacks.
Currently, most quishing attacks involve criminals sending a QR code via email. Those emails often act as a call out for users to verify accounts and that the user in question must work within a specific time frame, or their account will be locked or closed. The idea is that a user would see the QR code in their desktop email and scan the code with their phone. Once scanned, the QR code would wreak havoc on the device.
That is not the only way cyber threat actors could use a QR code to dupe people into falling for their scam. QR code use has become universal. What could stop a cybercriminal from plastering QR codes everywhere, knowing some innocent bystander would scan the code to unleash whatever attack was planned? Consider the offers: Free mobile phones, meal coupons, or concert tickets.
The most straightforward defense is not to scan QR codes, especially those from unknown sources. If you receive an email with a QR code, the first thing you should do is verify the sender's validity. For example, if you receive an email with a QR code that purports to be from Company X, but you look at the sender's email and it's from Gmail or some random (unknown) domain, chances are pretty good that it is a quishing attack.
The best advice is that any QR code in an email should never be scanned. Legitimate companies will always send instructions on doing whatever it is you need to do. Most companies are certainly not going to send a QR code so you can verify your account. As for the random QR codes you encounter in the world? Just don't. If you allow your curiosity to get the best of you, you might not enjoy the consequences. Just like SMS messages from unknown sources, those QR codes could be hiding dangerous intent. Unless you are 100% certain of the source of a QR code, never scan it with your phone.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.zdnet.com/article/quishing-is-the-new-phishing-what-you-need-to-know/
Comments