Hackers infiltrating QR codes, commonly known as “quishing,” is on the rise. So much so that some cybersecurity experts are calling it the new phishing.

A QR code is a type of barcode that can be read by a mobile device. According to security provider Kaspersky, QR or “quick response” codes are capable of storing lots of data, but not personal identifiable information. No matter how much information they contain, when scanned, the QR code should allow the user to access that data instantly.

Quishing occurs when a hacker embeds a malicious URL into a QR code that directs to a phishing site where users can unwittingly divulge personal or financial information. Hence, the “new phishing” moniker.

In new research by Perception Point, an email, web browser, and cloud apps security company, quishing showed a 427% increase from August to September, 2023. In addition, Perception’s figures found that malicious QR codes comprised nearly 2% of all QR codes scanned. By September, 2023 that number had jumped to 9.5%, Perception said. Moreover, the percentage of quishing attacks out of all malicious incidents climbed from 0.4% in August to 8.8% in September.

Quishing is Serious

You know quishing is more than a passing trend to consumers and businesses when the Federal Trade Commission (FTC) issues a blog warning about it. And when hackers pry into unfixed Microsoft services vulnerabilities, it’s even more concerning.

In late December, Perception’s security researchers uncovered a new QR code phishing campaign, targeting hundreds of organizations worldwide, that exploits open redirect vulnerabilities within Microsoft services.

The vulnerabilities occur when a web application or server is configured in a way that allows an attacker to redirect a user to an external, untrusted URL through a trusted domain.

Perception Point Discovers Quishing Redirect Vulnerability

In the case that Perception found, the attackers exploited an open redirect vulnerability in one of Microsoft’s cloud servers, using parameters in URL queries that are illegitimate or improperly sanitized.

“This oversight allowed them to craft URLs that appear to belong to Microsoft, yet redirect to a spoofed login site, thereby gaining a sense of legitimacy and dramatically increasing the effectiveness of their phishing attempts,” Perception said.

Perception’s incident response team notified Microsoft’s security team, sharing the findings about the open redirection vulnerability that the company subsequently mitigated.

As for the FTC’s bulletin, the agency said that a scammer’s QR code could “take you to a spoofed site that looks real but isn’t. And if you log into the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”

Protecting Your Clients from Quishing

According to the FTC, how can you protect yourself or your clients from a QR code attack?

  • If you see a QR code in an unexpected place, inspect the URL before you open it. If it looks like a URL you recognize, make sure it’s not spoofed.
  • Don’t scan a QR code in an email or text message you weren’t expecting, especially if it urges you to act immediately.
  • Protect your phone and accounts. Update your phone’s OS to protect against hackers and protect your online accounts with strong passwords and multi-factor authentication.

This article first appeared in MSSP Alert, written by D. Howard Kass on January 2, 2024.