In the early days, email was the main vector for phishing attacks. But as cybersecurity evolved, this type of cyberattack changed in step to overcome the former's defences, creating all sorts of variants that leverage SMS, voice calls, and now QR codes. QRishing, a term that comes from combining the words QR and phishing, is exactly what it sounds like – hackers creating malicious QR codes and embedding them in seemingly reliable articles like brochures and emails from trusted companies and institutions.

What makes QRishing effective

Many have now fallen for QRishing campaigns due to several reasons, namely:

● Current security products are ineffective at detecting malicious URLs in QR codes

QRishing does not show URLs in text or attachments as is common in conventional phishing techniques, enabling it to bypass spam filters and be far more difficult to detect and disrupt.

● Initial malicious activity takes on mobile devices, which are beyond the control or visibility of most security products

By having users scan a QR code on their smartphone, hackers can bypass the typical endpoint- and network-based controls found in desktops, which means organisations cannot see what links their employees are following.

● Hackers use compromised and localised mailboxes to send QRishing emails

Threat actors deploying QRishing attacks tend to use compromised accounts to send emails embedded with their malicious QR codes within the same region. Moreover, by masquerading as local brands with in-country domains, their targets are more likely to fall for the bait.

● Threat actors have adapted to the measures that were once best-practice defences

From sandbox evasion techniques and MFA-aware phishing kits to in-country IP address proxies, hackers now have many options to overcome many of today's cybersecurity best practices and even slip through their cracks, as exemplified by QR-driven phishing attacks.

How QRishing attacks are carried out

A QRishing attack begins as soon as users scan the malicious QR code with their device, followed by a pop-up showing a URL link that leads to the page where one can claim the promised benefit or other incentive. Depending on the objective, these attacks are designed to steal private information (such as asking for login credentials to access the reward), install malicious software on the user's device, or direct victims to an unsafe website with malicious intent.

One of the most high-profile cases of QRishing in recent times is a Microsoft 365 QRishing attack that targeted a single employee from a US-based Managed Service Provider. The phishing attempt, which came in the form of an email and masked as a support ticket notification, bypassed detection by Microsoft's native security features. Since the contents of the email required the user to reactivate their Microsoft Security - Multifactor Authentication (MFA), it naturally had all the branding and details you would expect from a genuine Microsoft email.

Upon clicking the link, the user would be directed to an M365 phishing site with a fake login form designed to steal their credentials, enabling the hackers to access their M365 account and cause a lot of damage.

Best security practices to deter QRishing

1. Educate employees

Once again, the importance of regular cybersecurity training shows its value in keeping employees informed about the latest cyber threats. In addition to training, it is recommended that they put their learnings into practice by using a user awareness training platform that can send simulated phishing emails that include QR codes. Of course, user education is only one piece of the puzzle of preventing compromise, but teaching employees what to look out for can make a difference in preventing intrusions.

2. Check your settings

As security vendors catch wind of the ongoing QRising campaigns, many are in the process or have already added QR detection to their security products. To benefit from this protection, check your spam filter settings to see if they are up-to-date and in line with your vendor's best recommendations. For Microsoft Defender and Microsoft 365 E5, this means configuring your domains to the Strict or Standard preset security policies.

3. Go passwordless

While MFA remains a very effective method for securing accounts, the rise of MFA-aware phishing kits is gradually reducing their effectiveness. Therefore, it is time to consider adopting passwordless solutions to eliminate any type of password that can be phished. For instance, many companies are deploying Windows Hello facial recognition in their day-to-day operations, greatly increasing their working-from-home employees' overall security and satisfaction.

Conclusion

Keeping up with the latest trends in phishing is no easy feat, and new variants like QRishing are often known to the public only after they have already caused some damage. However, with the help of regular training, employees can learn to be wary of future potential avenues for phishing and stop them in their tracks.

Covering all the bases of your cybersecurity posture involves more than just employee training. At GROUP8, we can help you achieve a well-rounded and robust security infrastructure with our offensive-inspired cybersecurity services in Singapore. From penetration testing to endpoint security, our solutions cover the entire ecosystem and can be tailored to your exact needs. For more information about our services, do not hesitate to reach out to us at hello@group8.co.