A phishing campaign using QR codes has been detected targeting various industries, with the aim to acquire Microsoft credentials.
“The most notable target, a major Energy company based in the US, saw about 29% of the over 1000 emails containing malicious QR codes. Other top 4 targeted industries include Manufacturing, Insurance, Technology, and Financial Services seeing 15%, 9%, 7%, and 6% of the campaign traffic respectively,” said Nathaniel Raymond, cyber threat intelligence analyst at Cofense.
Phishing with QR codes
The attack begins with victims receiving a phishing email containing a PNG of PDF attachment, prompting them to update Microsoft account security settings or add 2-factor authentication to their account by scanning a QR code.
To add a sense of urgency, victims are asked to complete the task within 2-3 days.
QR code image samples. (Source: Cofense)
Most of the embedded QR codes lead to Bing redirect URLs.
“Abusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes,” Raymond noted.
“Although the overall campaign was comprised of many domains, Bing redirect URLs shared the largest portion of the campaign, comprising 26% of the overall campaign phishing links used in the QR Codes, followed by the Salesforce application URL taking 15%.”
The pros and cons of using QR codes in attacks
There has been a rise in QR code scan scam campaigns, with analysis showing daily occurrences since October 2022.
What makes QR codes practical for threat actors is the fact that they can hide malicious links or can be hidden within images, allowing them to bypass email scanning solutions. Still, victims need to scan them with a QR code scanner on their mobile device, which gives them the opportunity to see and check the URL before proceeding to open it.
“While automation such as QR scanners and image recognition can be the first line of defense, it is not always guaranteed that the QR code will be picked up. Especially if it’s embedded into a PNG or PDF file,” said Raymond.
“Therefore, it is also imperative that employees are trained not to scan QR codes in emails they receive. This will help ensure that accounts and businesses security remain safe.”