The latest evolution of phishing emails includes QR codes as hackers look to maximize the potential of their campaigns.
A new report from cybersecurity researchers SecurityHQ claims to have seen a ‘significant increase’ in such ‘quishing’ emails in recent months. The premise is simple: the majority of today’s email service providers do a relatively good job at filtering emails with malicious URLs in them.
However, they don’t do as well on the mobile platform and can’t scan QR codes, making this a unique vulnerability for hackers to exploit.
Quishing
In practice, a victim receives a phishing email without links. Instead, right next to the call to action (or in the signature), there is a QR code in a .JPG or .PNG file that can pass all email security tools.
Even the victim wouldn’t see the link, which is usually the best way to spot a phishing site. They scanned the QR code with their mobile phone and were redirected to a malicious landing page, where they were either tricked into downloading something (such as malware), logging into a service (giving away their sensitive data to the attackers). ), or sign up for a service (again giving away sensitive information).
Given the pervasiveness of email in both private and business environments, and the low cost of sending emails, phishing remains the primary attack vector for most threat actors.
With phishing emails, usually pretending to be a popular brand or trustworthy person, the attackers try to create a sense of urgency and get the victim to do something without even thinking about it. This could be a limited discount offer, a threat of account termination, or a soon-to-be-returned package.
The usual goal of phishing is to get the victim to give the attackers access to their accounts or endpoints, either by downloading and executing malware or by sharing login credentials via phishing landing pages.