Well, You Know Phishing, and Smishing, and Vishing
But
Do You Know the Newest Hack of All?
I know the sound of the word, "Quishing," is reminiscent of the sound one's shoes might make after one has stepped into something unsavory. And that analogy is more apt that it first appears.
Quishing is a new form of attack that has the same modus operandi as all the other types of attacks computer users are more familiar. In a Quishing attack the victim is coaxed into some malicious cyber activity, not by clicking a rogue link, but the attack vector is within a QR code, which the unwitting victim is tricked into scanning.
A Quishing attack usually begins with a fraudulent email purporting that an error has occurred in some account or another, and by scanning the QR code embedded in that email, the intended victim can fix the problem. As reported by security vendor, Cofense, beginning in May 2023, a "major US based energy company" fell victim to such an attack.
In the case noted above, the phishing email
from which the Quishing attack originated purported to come
from Microsoft. The email said there was a problem with the user's
Microsoft 365 account credentials. The difference with this
Quishing attack was that the victim was instructed not to click a link,
but to scan the QR code embedded in the email.
The bogus emails came with an attachment that was either a PNG image
file or a PDF file.
Most computer users today have enough security awareness to not click a link in an unsolicited email. In a Quishing attack, however, the bogus link is embedded into the QR code contained in the attachment.
This is an alarming trend that is certainly on the rise. Email security vendor, Avanan, reports that there has been a "587% increase in QR code attacks from August to September." So the chance that one of these dangerous emails will show up in anybody's Inbox are also increasing. Moreover, Cofense, also reports that Quishing attacks have been delivered not just by email, but the malicious QR codes have been in texts, "or even printed and left in public places for an unsuspecting scan."
As novel as this technique may seem, January 18, 2022, the FBI released "Alert Number I-011822-PSA," that discussed QR code attacks. In blunt language, the Feds warned that "Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information." The FBI Alert summed up the problem quite succinctly.
Businesses and individuals also use QR codes to facilitate payment. A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender's payment for cybercriminal use.
The FBI also notes that the same cautions that a security aware Consumer would exercise when handling emails also applies now to QR codes. The FBI list of security precautions when handling emails also now pertain to QR codes. Below are a few of the most salient tips the FBI suggests users follow when asked to scan a QR code. Each will sound familiar to frequent readers of the Dispatches.
Once you scan a QR code, check the URL to make
sure it is the intended site and looks authentic. A malicious domain
name may be similar to the intended URL but with typos or a misplaced
letter.
If you receive an email stating a payment failed from a
company you recently made a purchase with and the company states you can
only complete the payment through a QR code, call the company to verify.
Locate the company's phone number through a trusted site rather than a
number provided in the email.
Do not download a QR code scanner
app. This increases your risk of downloading malware onto your device.
Most phones have a built-in scanner through the camera app.
Avoid
making payments through a site navigated to from a QR code. Instead,
manually enter a known and trusted URL to complete the payment.
The collective history of cyberattacks is increasing automation brings new means of implementing attacks. The QR code attacks are really just a new way to implement old scams. The rules of the road on the Information Superhighway remain the same. Know where you are going before you try to get there.
Gerald Reiff