Quishing Attacks

Quishing Attacks

AusCERT has recently observed a surge in incidents of “quishing” and aims to proactively inform its members regarding this emerging threat.

Quishing, also known as QR Code phishing is a type of cyber attack which involves tricking someone into scanning a QR code using a mobile device.

These QR codes are designed to mislead users by appearing legitimate, often resembling QR codes found on product packaging, promotional materials, or even in public spaces.

Upon scanning, the malicious QR code has the potential to redirect users to fraudulent websites, thereby exposing them to risks such as identity theft, financial fraud, or the installation of malware on their devices.

The distribution of malicious QR codes can take place through various channels including email, social media, or even physical flyers.

During the previous week, AusCERT conducted analysis of email samples submitted by its member organisations. The findings revealed that email recipients were being prompted to scan a QR code, and the majority of these emails falsely claimed to originate from a manager within the respective organisation. AusCERT observed that the QR code embedded within the email contained a URL leading to a deceptive website, impersonating reputable brands or organisations such as Microsoft. This fraudulent site then prompted the recipient to provide their credentials.

To avoid falling victim to QR code phishing, here are some recommended precautions:

1. Be cautious of the source: Only scan QR codes from trusted and reputable sources. Avoid scanning codes from unknown or suspicious sources, especially if received through unsolicited messages or emails.
2. Preview the URL behind the QR Code: To reduce risk, utilize a QR scanning tool that provides a preview of the URL contained within the QR Code. Options available include
   • Inbuilt camera of an iPhone previews the domain that is encoded in the QR Code.
   • You can also use a Free QR Code Scanner to read the content of a QR code (Note: Please make sure to check privacy policies first). DNS Checker (https://dnschecker.org/qr-code-scanner.php) is one of the free tools that is available online.
3. Use a QR code scanner with built-in security features: Opt for a reliable QR code scanner app that includes security features, such as URL scanning or warning notifications for potentially harmful websites (Ex: QR Scanner-Safe QR Code Reader (https://play.google.com/store/apps/details?id=com.trendmicro.qrscan))
4. Keep your devices updated: Regularly update your smartphone or other scanning devices with the latest security patches and firmware updates. This helps protect against known vulnerabilities that attackers may exploit.
5. Be cautious of personal information requests: If a scanned QR code prompts you to provide personal information, such as login credentials or financial details, exercise caution.

Legitimate sources typically do not request sensitive information through QR codes.

Additionally, organisations are encouraged to promote awareness and educate their staff about the risks associated with QR code phishing and implement security measures to mitigate these threats.

By staying informed and taking proactive steps, we can help minimise the impact of QR code phishing attacks.

More information:

https://techwireasia.com/2023/08/quishing-attacks-on-the-rise/
https://www.malwarebytes.com/blog/news/2023/08/qr-codes-deployed-in-targeted-phishing-campaigns
https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/five-common-qr-code-scams