Even decades after the term “phishing” was coined, attackers are still innovating. In the past few weeks, we have seen a stark increase in a tactic referred to as “Quishing”: A form of phishing which abuses QR codes to attack victims.
Traditional phishing attacks, which typically involve a malicious email containing a dubious attachment, a deceptive link, or sometimes both, have been on our radar for years. Modern analysis engines are adept at scanning such emails and identifying the threats they contain. However, in this rather new attack scenario, malicious links are not embedded in the email, instead attackers prompt the recipient to scan a QR code with their smartphone.
This scan directs their phone’s browser to a phishing webpage which, for example, could pretend to be a malicious Microsoft logon form.
To illustrate, imagine the traditional phishing attack as a direct flight from a user’s laptop to a phishing site, facilitated by a single click. In contrast, quishing is more of a connecting flight: the journey begins with an email on the laptop, but then transfers to a smartphone via a QR code, ultimately landing on the phishing site (see Figure 1).
This indirect route offers tactical advantages to attackers. For one, phishing detectors might not recognize the malicious intent behind a QR code as readily as they would a hyperlink. Furthermore, the email-recipient’s computer might be fortified with VPNs, firewalls, and detection engines designed to flag and prevent access to phishing links. On the recipient’s smartphone however, on which the QR code is scanned, these protective measures are more likely being bypassed, leaving the user vulnerable.
We have identified several past and ongoing quishing campaigns and demonstrate an excerpt in Figure 2. Note that at the time of upload not a single antivirus engine on VirusTotal was able to detect any of these quishing samples as malicious.
Detecting Quishing
VMRay Cloud was already updated to identify and analyze QR codes in extracted images, and it’ll be available to all other customers with the upcoming 2024.1 release.
To demonstrate this feature, consider the most common quishing attack scenario which is via email: When a QR code is identified in an email submission, a recursive submission is automatically triggered to analyze the extracted link in more depth (see Figure 3). In this case, the link seems to redirect the user to another webpage that pretends to be a Microsoft logon page, which is detected as a phishing attempt on our side (see Figure 4).
Conclusion
Even techniques that are decades old still pose a threat as adversaries aim to find novel methods to evade detection. With this new feature, VMRay Platform allows users to proactively examine their emails for signs of quishing endeavors, enabling them to preemptively neutralize potential threats.
