What is Quishing?

Quishing involves the use of manipulated or fake QR codes by hackers to carry out fraudulent activities, such as stealing personal information and spreading malware. It works like traditional phishing attacks where in user believes that the QR code is genuine, scans it, clicks on the link, they are directed to a phishing site that attempts to steal users sensitive data or install malware on the device. 

In case of traditional phishing attacks driven by email, malicious website link is formatted in the email. In the case of quishing, the malicious website is pointed to by QR code. User scans the QR code and browses the malicious site.

Types of QR codes

There are two main types of QR Codes

  1. Static QR codes: They are fixed and cannot be altered and are commonly used for sharing static information like a website URL, contact details, or a Wi-Fi password.
  2. Dynamic QR codes: as the name suggest are dynamic and information they encode can be updated or changed without changing the code’s appearance. They contain a unique URL that directs users to a server where the information is stored. This adaptability makes them ideal for situations where the content needs frequent updates, such as event information, promotional offers, or real-time inventory tracking. However, this same flexibility also poses a security risk, as scammers can exploit dynamic QR codes by altering their source to redirect users to malicious sites.

Challenges in detecting Quishing?

Biggest challenge is the way QR codes is used. In most of the customer usage scenarios, there are two devices involved. Let’s consider two scenarios – 

  1. User receives an email on corporate device, scans using personal device and since there is no security on the personal device, the user gets compromised.
  2. User receives an email on the personal email and hence is not blocked by corporate anti phishing defenses, scans using corporate/managed device and could be infected if the threats are not detected and blocked by corporate security.

Since the content behind a QR code is not visible when it is displayed as an image, it provides an ideal means for scammers to evade security measures by embedding them in emails.

Some known Quishing attacks?

Refer to secure mac quishing web page (https://www.securemac.com/news/qr-code-phishing-and-how-to-avoid-it) to understand more about the following attacks

  • Malicious QR codes on parking meters
  • QR codes in credential phishing emails
  • QR code banking app scams
  • QR codes and fake parking tickets

Some other places where Quishing attacks might happen include the following –

  1. QR Codes sent on messaging applications (like telegram, whatsapp, iMessages) suggesting to scan the QR code to get more information.
  2. QR Code hijacking: Attackers may hijack legitimate QR codes by overlaying them with malicious ones or replacing the original code with a malicious version. This can occur on websites, printed materials or other physical objects. When victims scan the hijacked QR code, they are redirected to a malicious website controlled by the attacker.

What can enterprises do to protect against Quishing?

  1. First and foremost is the user education program. Uses should take care of the following, for a QR code:
    • Check to see if the code looks tampered with, such as a sticker placed on top.
    • Try to navigate to the website directly.
    • If you do scan a code, double-check the URL you’ve landed on before entering any information.
    • If the QR code is for an app, don’t scan it –go to the app store and search for the app.
    • Verify the QR code before visiting the URL behind it. This could be achieved using a secure QR code reader, such as the Trend Micro™ QR Scanner (Android) and QRs (Apple devices). You can also decode the URL behind the QR code by using free online services like  ZXing Decoder Online or  QR Code Scanner
  2. Use Email security solutions to detect phishing emails and ensure that Email security solution has support for quishing attacks. This will help to ensure that emails with malicious QR code is identified and not delivered to the user.
  3. Use strong web security solutions to ensure that if the user scans QR code using the corporate devices and browses to the malicious site then the access is detected and blocked.
  4. Use 2FA to protect your accounts. If your users fall victim to credential quishing attacks, their accounts will be safe and won’t be compromised.
  5. Ensure that your end point detection and response product supports Quishing to protect your corporate/managed devices from scanning a malicious QR codes.