The Not So New Threat Of QR Codes/Quishing

The Not So New Threat Of QR Codes/Quishing


Cybersecurity awareness month additional topic

Many organizations for over 20 years have been dealing with phishing attempts via email. They need to find the balance between allowing emails from the workplace and business. While preventing these unwanted attempts to access their networks from reaching employee email inboxes. This, however, may not come as a surprise as being easier said than done.

QR Code Phishing, aka Quishing; is a current market high on the agenda for organizations and preventing risks, as it represents a risk that can bypass existing security controls that are currently in place.

Quishing stems from phishing: Phishing is the attempt to steal credentials or other useful information from employees by setting up spoofed(false or replica) websites/HTML links/emails to achieve this goal of stealing personal/employee information.

This process in the current day is much more automated than previously known, so that within seconds of the credentials received the users passwords can be changed and often 2FA will be enabled by the threat actor to lock out the original user.

Quishing is merely the QR code use for this style of attack, instead of a hyperlink/website-address, the threat actor instead uses a QR code to deliver the URL. Since most email security systems in place do not read the contents of QR codes, prevention has been difficult to say the least.

As with many IT challenges, there is never one correct answer. A holistic approach that will cover the people, processes and technology of an organization will provide all organizations a standing chance in mitigating these styles of attack.

As reported earlier this month in recognition of Cyber Security Awareness month here are some steps to prevent Quishing.

The Tools for prevention

  1. Training of employees/family members/friends. As a high priority we should all learn how to recognize these malicious emails before considering ever scanning the QR code or clicking the website link attached. If a link is clicked accidentally in a place of work, it should be up to the IT and management departments to enforce a no blame policy, because stuff happens, and it will more likely be brought to the attention of the correct officials to deal with the breach.
  2. A Reporting Process. In our every day it should be that if our information has been stolen and we recognize after the fact, contacts the designated government agency in addition to local police, as well as if any credit card information has been stolen the credit/banking company you use, to prevent any further damages/loses. In a corporate sense, Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly.
  3. Technological Prevention. Email security systems should scan for known malicious URLs in incoming emails. Ideally nowadays the systems will combine several intel sources to auto detect URLs that are known to be malicious or present suspicious patterns. Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. Considering the Quishing risk, this scanning should be extended to URLs which are encoded in QR codes.
  4. Digital Risk Protection (DRP) DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen.
  5. Closing the Vulnerability Gaps. Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs amongst other means. Shows that this attack vector is returning to the top of many organizations’ agendas.

A Conclusion

Considering the Cyber Security Awareness month theme, it’s important to remember the many different forms Threat actors will use to infiltrate our workplace, public and private lives. This may also be used as a friendly reminder that we all need to be cognizant of the looming threats of a growing Internet Of Things. Be safe, and don’t click on unknown QR codes from untrusted sources.

Anthony J Daw
Anthony J Daw
Cybersecurity Specialist, enthusiast of Python 3 & SQL, Hater of Windows PowerShell. Here to write to you about the wonderful world of Cybercrime, Espionage, and Cyberwarfare.
- Sponsor -spot_img
- Sponsor -spot_img

Week's Top Stories

More In This Category

International Criminal Court Investigating War Crimes in Darfur

The International Criminal Court (ICC) released a statement on...

Thousands Flee for Safety from El-Fasher, Sudan

Thousands of civilians are reportedly leaving the Sudanese city...

Pacific Skies 2024: European Air Forces Demonstrate Indo-Pacific Intervention Capability

In a landmark display of their Indo-Pacific intervention capabilities,...

Chiquita Liable for Right-Wing Paramilitaries in Colombia, US Court Rules

An eight-person jury in West Palm Beach, Florida, found...