Understanding The Threat Of QR Codes & Quishing

Uploaded on 2023-10-16 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, adversaries have pivoted their tactics in order to bypass these controls.

Is your organisation ready to adapt to this new challenge?

Unwanted Emails

Organizations have been dealing with unwanted emails for over 20 years. They must find a balance between letting genuine business emails enter the organization and preventing unwanted emails from reaching inboxes. This is easier said than done when the methods used by adversaries are constantly evolving. 

Quishing (QR code phishing) is currently high on the agenda for many organizations as it represents a risk that can bypass existing security controls, therefore the protection relies on the recipient fully understanding the threat and not taking the bait.

How Phishing Works

Attackers attempt to steal login credentials or other useful information from employees by setting up fraudulent websites that mimic the ones they use for their daily activities. For cloud services, it’s relatively easy to convince an employee that they need to enter their organization’s credentials in order to access a website from a URL they have received.     

If an attacker can entice an employee to visit a fraudulent website and enter their credentials, then the attacker can immediately use those credentials to gain access to the organization’s IT resources.

This process can even be automated, so that within seconds of the credential being given, the account has been taken over, the password has been changed, and often 2FA has been enabled on the account to lock out the original user.

Clicking on malicious URLs is still one of the top risks for account takeovers. According to data from Fortra’s PhishLabs in Q2 2023, more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.  

What is Quishing? 

Quishing is merely an extension of these phishing attacks. Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack. 

How to Prevent Quishing Attacks

As with most IT challenges, there is no single answer. A holistic approach that covers people, process and technology will give organizations the best chance of mitigating these types of attacks.

Train Employees

As a high priority, employees should be trained to recognise malicious emails. Training should be ongoing and presented in bite-size modules that are easy to digest and learn from. This should be supplemented with testing/simulation to allow users to see what they have (or have not) learned, and how they can improve. Gamification of challenges and results can be used to engage and improve trainee performance.

It's important there’s a “no-blame” culture – if an employee receives a link (either real or simulated) and they click on it by accident and subsequently realise their mistake, they should feel empowered to notify and give security teams an opportunity to mitigate the risk without fear of repercussions. In a culture of blame, employees will attempt to conceal mistakes and this potentially leads to far greater consequences for the organization.

Reporting Process

Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly. 

Many organizations will encourage employees to report these emails but lack the resources or skills to investigate them effectively. If possible, subscribe to a service that specialises in suspicious email analysis and give employees an easy mechanism to report emails to this service. The service will then expedite emails to the security operations teams for remediation (for example, it might be necessary to retract known emails from all user inboxes). 

In addition, it’s important that the employee is also notified of the result of the analysis (positive or negative) and thanked for making the report. Engaging employees this way will make them more inclined to pay attention to what they are clicking on and report future suspicious emails.

Technology Prevention 

Email security systems should scan for known malicious URLs in incoming emails. Ideally the systems will combine a number of intelligence sources to automatically detect URLs that are known to be “bad” or present a suspicious pattern (for example, uses an IP address instead of a hostname). Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. In light of the quishing risk, this scanning should be extended to URLs which are encoded in QR codes.

Digital Risk Protection (DRP)

Another service to consider is a Digital Risk Protection (DRP). DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen. 

Close the Vulnerability Gaps

Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs, means that this attack vector is returning to the top of organizations’ agenda. However, with the right combination of training, processes, technology and services, organizations can reduce and manage this risk.

Conclusion

The threat of QR code phishing, known as Quishing, poses a significant challenge to organizations' cybersecurity. Adversaries are evolving their tactics, making it vital for organizations to adapt.

Preventing Quishing attacks requires a multifaceted approach, including employee training, reporting processes, and advanced email security systems. Combining these strategies, organizations can effectively mitigate the risks associated with this evolving threat.

Steve Jeffery is lead solutions engineer at cybersecurity software and services provider Fortra

Image: Pixabay

You Might Also Read: 

What Is The Difference Between Phishing, Smishing & Vishing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Domain Phishing: Antidotes In Today’s Market
The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Information-Technology Promotion Agency (IPA) - Japan

Information-Technology Promotion Agency (IPA) - Japan

IPA is an implementing agency in Japan with a role to address Information Security, IT Systems Reliability and IT Resource Development.

Steganos

Steganos

Steganos offers highly secure and easy to use software tools that protect and secure on and offline data.

Kuratorium Sicheres Österreich (KSO)

Kuratorium Sicheres Österreich (KSO)

KSO is an independent non-profit association that has set itself the goal of making Austria safer as a national networking and information platform for topics of internal security.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

Salt Security

Salt Security

Salt Security protects the APIs that are the core of every SaaS, web, mobile, microservices and IoT application.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

Pacific Global Security Group

Pacific Global Security Group

Pacific Global Security Group offers an intelligence-driven focus on all aspects of cybersecurity for IT/ICS/OT.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

SpireTec Solutions

SpireTec Solutions

SpireTec Solutions is an IT management training company offering 1500+ courses with state of art training facilities backed by a team of industry experts in various domains including cybersecurity.

BioID

BioID

BioID are a German company offering deepfake detection, liveness detection, facial authentication & identity verification as a Service. 

RST Cloud

RST Cloud

RST Cloud is a cutting-edge technology company that specialises in threat intelligence solutions for businesses of all sizes.

BlackSwan Technologies

BlackSwan Technologies

BlackSwan Technologies is reinventing enterprise software through Agile Intelligence for the Enterprise – a fusion of data, artificial intelligence, and cloud technologies.