Cybersecurity experts have revealed a specific phishing tactic that has become increasingly popular, including malicious QR codes in .PDF files.
Barracuda researchers said they observed (and later analyzed) more than half a million phishing emails using this tactic in the three months between June and September 2024.
By sharing QR codes in .PDF files, threat actors do a number of things: First, they evade detection by email security solutions, which can now scan the content of images in the body of the email, but not in the attached .PDF files; and second, they trick users into accessing malicious content via their mobile devices, which are generally less well protected than their desktop counterparts.
Change in tactics
The general theme of these attacks remains the same: the hackers would impersonate a major brand and send an email that warranted a quick response. That email could be an open invoice, a payment notification, information about a returned package or something similar. The victims were urged to respond immediately. Further information was provided in the attached .PDF file.
Because .PDF files are not as dangerous as .EXE or .LNK files, they rarely arouse any suspicion among victims. Opening the file does nothing, but also shows nothing except the QR code, which the victim is tricked into scanning with their mobile phone.
From there, the threat actors can more easily navigate victims to malicious landing pages, fake login sites, or places where malware can be downloaded.
Barracuda also says that certain industries, such as finance, healthcare and education, are increasingly being targeted because of the sensitive data they process. The researchers also said that small and medium-sized businesses (SMBs) are particularly vulnerable given the lack of advanced security tools needed to defend against such advanced attacks.
“The shift in tactics from embedding QR codes in the body of an email to attaching them in PDF documents makes it more difficult for traditional defenses to identify and block these attacks before they reach employees,” concluded the researchers.