QR codes have become a useful tool in the arsenal of bad actors looking to penetrate barriers to access because they’re easy to incorporate into attacks, difficult to detect and prevent, and good at fooling users into giving up credentials. Fortunately, there are effective steps cyber security pros can take to mitigate this growing attack vector.

A precipitous rise in 2023 in QR code phishing campaigns — also known as quishing — is being reported by many industry sources, including Perception PointCheck Point, and AT&T. It is a significant and growing trend, and although technically it’s little more than an embellishment to the standard phishing model, the technique has several features that merit attention.

Quishing works by encoding information, often a malicious link, in the ubiquitous QR code image format. The technical-looking codes often make it easier for employees to fall for the scam and harder for automated systems to detect.

Why is quishing on the rise?

As security platforms improve their ability to deal with phishing in general, bad actors are always looking for new ways to bypass defenses. Zero-trust policies and multifactor authentication reduce the effectiveness of phishing campaigns.

For the attacker, QR codes bring a number of benefits, including some appreciated by legitimate businesses: they are easy to create and easy to use. It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites — a mechanism that can increase the effectiveness of their efforts with minimum effort.

QR codes look official and present a convenient and fast option for users easy, making them exceptional bait, and are also more difficult for automated systems to detect than other phishing techniques. Since a QR code is just an image that encodes information, it can be used to reduce the amount of malicious data in an email, thereby making it a less obvious target for spam filters.  

They’re easy to generate and more effective than URL phishing, says Olesia Klevchuk, director of email protection at Barracuda. “URL scanning and URL rewrite technologies are ineffective against QR code attacks because there is simply no link to scan. Because users have to scan QR codes with their phones, it basically moves these attacks to an entirely new device that is often outside of the company’s security.”

Defending against quishing

From the defender’s point of view, the danger of malicious QR codes exists both within the human element (they have an air of legitimacy and are by design very simple) and the machine element (they obfuscate the actual contents of an email or message, making it harder for systems to detect.)

Managing the problem requires several different approaches.

  • Education: Ensure users are aware of the quishing trend and emphasize that QR codes are not an indication of legitimacy.
  • Prevention: Automated systems that filter emails and URLs should be examined and hardened against QR codes. Existing use of QR codes by the enterprise should be examined to make it as hard as possible for attackers to hijack them.
  • Response: Detection and lockout mechanisms should be in place to protect against account compromise.
  • Validation: Incorporate QR code attacks red teaming tests and attack simulations.

Education and awareness

As technology-oriented professionals, we work towards a technology-oriented solution, but education and awareness play their part. We’ve gotten used to harping on the distrust of emails and confirming through a second channel anything significant. Quishing adds an important element: QR codes are not any kind of indication of legitimacy.

The most obvious step in protection — education of employees — is both essential and unreliable. QR codes are frustratingly innocuous and inviting. Security professionals need to get the message out that an email with a QR code is to be treated with the same level of suspicion as any other. It can’t hurt to remind employees not to reuse passwords and especially not between work and personal accounts.

Prevention of QR code phishing

Employee education must be accompanied by the hardening of technological defenses. It’s critical to ensure that scanning systems are configured to detect QR codes, unpack them as embeds or attachments, and look for malicious content. This is a front-line defense — QR codes that never make it to the inbox are not a threat.

QR codes can be embedded in a number of ways, mostly inline or attached to other documents such as Word files or PDFs. Attackers have been clever about using the smaller footprint of a QR code to fool scanning and security professionals need to verify with vendors that QR codes are a covered vector in their products.

Whitelisting/blacklisting of email sender domains is another good practice that can help with phishing in general and quishing in particular.

Cross-device and mobile security

QR codes often initiate cross-device interaction in which a user scans a code with their mobile device. In general, mobile devices may offer a less secure platform and the move can switch the user from one work network to another network. Getting users onto mobile devices has become a go-to tactic for attackers in recent years.

QR code attacks put an emphasis on security and policy around cross device interactions. This includes cross-domain security, wherein a user may be using a personal device to scan a company computer or vice versa.

There are a number of factors to consider that can impact resilience to quishing attacks, including “keeping tight controls around URL shortening and redirects happening from their domain,” says Mathew Woodyward, principal threat intelligence researcher at Okta. Companies should be “paying attention to what QR codes they put out into the wild and ask themselves, ‘How could someone abuse this link?’’ he says.

AI as a threat and a tool

You can be assured that attackers will use AI to generate convincing quishing emails. This is a case of fighting fire with fire. As Barracuda’s Klevchuk says, “The use of AI and image recognition technology is useful in detecting these attacks. AI-based detection will also look for other signals that can be a sign of a malicious presence, such as senders, image size, content, and placement in a to determine malicious intent.”

Machine learning detection is important because it is able to form a broader picture of a given artifact and make predictions about whether it’s malicious or not beyond what a person might be able to foresee. AI can form a general picture of an event and make determinations based on real-world learning.

Red teaming attack simulations and penetration testing

There’s no way to know how you are doing without testing. An organization should be running simulated attacks to explore the response of its employees, technology, and security team. Including QR codes in those simulations is an important step. This type of simulation can also help discover how well the organization responds to a breach, especially with regard to compromised account detection and lockout.

Woodward echoes this: “Cybersecurity should be deploying tight controls to prevent account takeovers after login,” says Woodward, “monitoring active credential stuffing attempts and stopping them at the identity-level using breached password detection.”

The role of multifactor authentication

Multifactor authentication can help mitigate the effects of a successful QR code attack by limiting the damage of compromised credentials. Interestingly, QR code phishing emails are often disguised as multifactor verification emails, a point to keep in mind when alerting employees and also when designing such legitimate verification notices.

The idea is a simple one. QR codes can be embedded in a variety of ways to encode scannable information, in the case of hackers, usually a phishing URL or a malware download. By automatically triggering the effect, QR codes can reduce the amount of thought a user puts into using them. QR codes offer a low-effort “improvement” for attackers, a kind of asymmetrical warfare.

Although many quishing campaigns have been targeted at consumers so far, we know from experience that it will spread to enterprise and government targets, something we are already seeing.

This article first appeared in CSO, written by Matthew Tyson on November 21, 2023.