{"id":6949,"date":"2023-09-22T09:13:52","date_gmt":"2023-09-22T09:13:52","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=6949"},"modified":"2025-01-09T22:51:01","modified_gmt":"2025-01-09T22:51:01","slug":"quishing-phishing-emails-qr-codes-threat-actors","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/defence\/quishing-phishing-emails-qr-codes-threat-actors\/","title":{"rendered":"The Rising Threat of QR Code-Enabled Phishing Emails: Quishing"},"content":{"rendered":"\n

In the ever-evolving landscape of cyber threats, threat actors are constantly seeking new and innovative ways to deceive and compromise unsuspecting targets. One of the latest techniques that Fortgale observed gaining prominence over the last few months is the utilization of QR codes in phishing email campaigns<\/strong> (Spearphishing Technique – T1566<\/a>).<\/p>\n\n\n\n

In this article, we delve into the phenomenon of phishing emails leveraging QR codes \u2013 a technique define as \u201cQuishing<\/strong>\u201d – sheding light on the motivations behind this technique and sharing indicator of compromises (IOCs<\/strong>) and part of the data collected, to allow a better identification of these campaigns.<\/p>\n\n\n\n

QR Codes<\/h2>\n\n\n\n

QR codes, short for Quick Response<\/strong> codes, were originally designed to facilitate rapid data exchange. However, their convenience has not gone unnoticed by cybercriminals. These matrix barcodes can encode a variety of information, including website URLs<\/strong>.<\/p>\n\n\n\n

So, why are threat actors increasingly turning to QR codes in their phishing campaigns?<\/p>\n\n\n\n

Mobile Devices<\/h3>\n\n\n\n

One significant driver behind the growing adoption of QR code-enabled phishing lies in the user behavior it exploits. QR codes entice users to scan them with their mobile devices, and herein lies an inherent vulnerability. Unlike their desktop counterparts, mobile devices often lack the same level of security, protection, and user awareness<\/strong>. Moreover, mobile screens are smaller, making it harder for users to scrutinize URLs and discern phishing attempts.<\/p>\n\n\n\n

Enhanced Cover-Up<\/h3>\n\n\n\n

QR codes provide an effective means of concealing malicious URLs<\/strong>. To the human eye, the QR code appears innocuous, making it harder for users to discern the true nature of the link. Users tend to be more casual and less cautious when using their smartphones, especially for personal tasks like scanning QR codes. This complacency is something threat actors exploit.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Bypass Antispam engines<\/h3>\n\n\n\n

Quishing is a dangerous form of phishing because it is not recognized by most antispam filters<\/strong> or email security software. Antispam filters usually scan the text and attachments of the emails, but they do not analyze the content of the QR codes. Therefore, they cannot detect the malicious links hidden in the QR codes. Email security software may also fail to identify quishing emails as phishing, because they rely on indicators such as sender\u2019s address, subject line, or domain name, which can be easily spoofed by the threat actors.<\/p>\n\n\n\n

Real Cases<\/h2>\n\n\n\n

Over the last few months Fortgale identified different campaigns leveraging Squishing as a way to perform cyberattacks. <\/p>\n\n\n\n

They all share the same tactics, mainly divided in three steps:<\/p>\n\n\n\n