Understanding The Threat Of QR Codes & Quishing

Uploaded on 2023-10-16 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, adversaries have pivoted their tactics in order to bypass these controls.

Is your organisation ready to adapt to this new challenge?

Unwanted Emails

Organizations have been dealing with unwanted emails for over 20 years. They must find a balance between letting genuine business emails enter the organization and preventing unwanted emails from reaching inboxes. This is easier said than done when the methods used by adversaries are constantly evolving. 

Quishing (QR code phishing) is currently high on the agenda for many organizations as it represents a risk that can bypass existing security controls, therefore the protection relies on the recipient fully understanding the threat and not taking the bait.

How Phishing Works

Attackers attempt to steal login credentials or other useful information from employees by setting up fraudulent websites that mimic the ones they use for their daily activities. For cloud services, it’s relatively easy to convince an employee that they need to enter their organization’s credentials in order to access a website from a URL they have received.     

If an attacker can entice an employee to visit a fraudulent website and enter their credentials, then the attacker can immediately use those credentials to gain access to the organization’s IT resources.

This process can even be automated, so that within seconds of the credential being given, the account has been taken over, the password has been changed, and often 2FA has been enabled on the account to lock out the original user.

Clicking on malicious URLs is still one of the top risks for account takeovers. According to data from Fortra’s PhishLabs in Q2 2023, more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.  

What is Quishing? 

Quishing is merely an extension of these phishing attacks. Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack. 

How to Prevent Quishing Attacks

As with most IT challenges, there is no single answer. A holistic approach that covers people, process and technology will give organizations the best chance of mitigating these types of attacks.

Train Employees

As a high priority, employees should be trained to recognise malicious emails. Training should be ongoing and presented in bite-size modules that are easy to digest and learn from. This should be supplemented with testing/simulation to allow users to see what they have (or have not) learned, and how they can improve. Gamification of challenges and results can be used to engage and improve trainee performance.

It's important there’s a “no-blame” culture – if an employee receives a link (either real or simulated) and they click on it by accident and subsequently realise their mistake, they should feel empowered to notify and give security teams an opportunity to mitigate the risk without fear of repercussions. In a culture of blame, employees will attempt to conceal mistakes and this potentially leads to far greater consequences for the organization.

Reporting Process

Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly. 

Many organizations will encourage employees to report these emails but lack the resources or skills to investigate them effectively. If possible, subscribe to a service that specialises in suspicious email analysis and give employees an easy mechanism to report emails to this service. The service will then expedite emails to the security operations teams for remediation (for example, it might be necessary to retract known emails from all user inboxes). 

In addition, it’s important that the employee is also notified of the result of the analysis (positive or negative) and thanked for making the report. Engaging employees this way will make them more inclined to pay attention to what they are clicking on and report future suspicious emails.

Technology Prevention 

Email security systems should scan for known malicious URLs in incoming emails. Ideally the systems will combine a number of intelligence sources to automatically detect URLs that are known to be “bad” or present a suspicious pattern (for example, uses an IP address instead of a hostname). Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. In light of the quishing risk, this scanning should be extended to URLs which are encoded in QR codes.

Digital Risk Protection (DRP)

Another service to consider is a Digital Risk Protection (DRP). DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen. 

Close the Vulnerability Gaps

Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs, means that this attack vector is returning to the top of organizations’ agenda. However, with the right combination of training, processes, technology and services, organizations can reduce and manage this risk.

Conclusion

The threat of QR code phishing, known as Quishing, poses a significant challenge to organizations' cybersecurity. Adversaries are evolving their tactics, making it vital for organizations to adapt.

Preventing Quishing attacks requires a multifaceted approach, including employee training, reporting processes, and advanced email security systems. Combining these strategies, organizations can effectively mitigate the risks associated with this evolving threat.

Steve Jeffery is lead solutions engineer at cybersecurity software and services provider Fortra

Image: Pixabay

You Might Also Read: 

What Is The Difference Between Phishing, Smishing & Vishing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Domain Phishing: Antidotes In Today’s Market
The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

mile2

mile2

Mile2 develop and deliver proprietary vendor neutral professional certifications for the cyber security industry.

National Defense Industry Association (NDIA)

National Defense Industry Association (NDIA)

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Uniscon

Uniscon

Uniscon is a leading provider of cloud security solutions in Europe.

Engineering Ingegneria Informatica

Engineering Ingegneria Informatica

Ingegneria Informatica is a leading Italian provider of Information Technology consulting, services and solutions including cyber security.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Trulioo

Trulioo

Trulioo is a leading global identity and business verification company providing secure access to data sources worldwide to instantly verify consumers and businesses online.

Austrian Trust Circle

Austrian Trust Circle

Austrian Trust Circle is an initiative of CERT.at and the Austrian Federal Chancellery and consists of Security Information Exchanges in the areas of the strategic information infrastructure.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

Korn Ferry

Korn Ferry

Korn Ferry is a global organizational consulting firm, synchronizing strategy and talent to drive superior performance for our clients in key areas including cybersecurity.

Saepio Solutions

Saepio Solutions

Saepio promote an all-encompassing approach to cybersecurity, ensuring the appropriate balance of budget and resource across Policy, Product and People.

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

BATM Advanced Communications

BATM Advanced Communications

BATM Advanced Communications is a leading provider of real-time technologies for networking and cyber security solutions.

CyberCatch

CyberCatch

CyberCatch provides an innovative cybersecurity Software-as-a-Service (SaaS) platform designed for SMBs.

CyberMontana

CyberMontana

CyberMontana is a statewide initiative providing cybersecurity awareness, training, and workforce development for businesses and residents of Montana.

BBS Technology

BBS Technology

BBS Technology is a company that develops and delivers next-generation cyber security technologies worldwide.