By now, most of us have become accustomed to seeing QR codes everywhere, from cafes and pubs to businesses and public services. But how often do you check the URL it points you to?
This is just one of the weaknesses of QR codes: the implicit trust that the code will get you where you want to go.
New Sophos research has investigated how an attack plays out after one of its own employees was targeted by a ‘quishing’ attack using malicious QR codes hidden in apparently legitimate internal emails.
Quishing is not easy
In June 2024, several Sophos employees received a fairly mundane email from legitimate third-party email accounts, with subject lines written to make it appear as if the email had been sent from an office printer/scanner with an employee benefits PDF document as attachment.
The PDF was fairly simple, with the Sophos logo at the top, followed by a QR code, and a message at the bottom stating that the QR code contained a secure link to DocuSign that required the employee’s digital signature, and that the file would expire within 24 hours.
When scanned, the QR code directed the employee to a Microsoft 365 login box, where the employee properly logged in and completed a multi-factor authentication check. In near real time, an attacker used the credentials and a stolen MFA token to gain access to an internal application. Fortunately, Sophos’ internal network settings prevented access and the account was secured.
How can a quishing attack like this be spotted and stopped? If you pay close attention to every detail of an incoming email, you might have a chance. First, Sophos points out that the file name in the body of the email did not match that of the attached PDF. Furthermore, the subject line read “Remittance Arrivald” – something a file received from a legitimate officer scanner would not say.
The subject line also ended with “retirement plan Attache=”. Whether this was an error by the attacker or a clever use of the ‘=’ sign to make the header appear truncated is unknown.
The false sense of urgency suggested by the 24-hour expiration timeline should also have been a giveaway, as should the URL displayed when the QR code was scanned. But as anyone who’s scanned a QR code before knows, sometimes the full URL doesn’t display or disappears before it can be fully read and checked for clues like random letters or a homoglyph domain.
As for the stolen MFA token, the Microsoft 365 login page was actually a spoofed dialog box controlled by the attacker that was not picked up due to a lack of URL filtering software on the victim’s phone.
Quishing, Sophos points out, is quickly becoming a growing threat to organizations with phishing-as-a-service (PhaaS) brokers like the ONNX Store increasingly offering QR code-based attacks in their offerings.
Because QR codes are typically image-based attachments that can be placed in PDF documents, they can easily slip through email filters and the typical endpoint protections implemented by many companies because all URL processing takes place on the user’s mobile device. the victim, which may not be the case. enjoy the same level of protection.
Andrew Brandt, chief threat researcher at Sophos, said: “While there was some fear around the rise of QR codes when they first became popular during COVID, the risk to most people was actually quite small. However, now we see attackers using these QR codes for highly targeted phishing attacks – and they are effective.”
“QR codes are incredibly flexible, and quishing kits essentially allow attackers to create a series of targeted quishing emails en masse, and tailor them to employees at different companies. And unfortunately, if attackers manage to steal both credentials and MFA authentication tokens for a company employee, in many cases they have gained the opportunity to infiltrate highly privileged assets,” Brandt said.
For recommendations on how to best protect your organization from quishing, and the top signs of a quishing email, see Sophos’ suggestions. here.