Understanding The Threat Of QR Codes & Quishing

Uploaded on 2023-10-16 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, adversaries have pivoted their tactics in order to bypass these controls.

Is your organisation ready to adapt to this new challenge?

Unwanted Emails

Organizations have been dealing with unwanted emails for over 20 years. They must find a balance between letting genuine business emails enter the organization and preventing unwanted emails from reaching inboxes. This is easier said than done when the methods used by adversaries are constantly evolving. 

Quishing (QR code phishing) is currently high on the agenda for many organizations as it represents a risk that can bypass existing security controls, therefore the protection relies on the recipient fully understanding the threat and not taking the bait.

How Phishing Works

Attackers attempt to steal login credentials or other useful information from employees by setting up fraudulent websites that mimic the ones they use for their daily activities. For cloud services, it’s relatively easy to convince an employee that they need to enter their organization’s credentials in order to access a website from a URL they have received.     

If an attacker can entice an employee to visit a fraudulent website and enter their credentials, then the attacker can immediately use those credentials to gain access to the organization’s IT resources.

This process can even be automated, so that within seconds of the credential being given, the account has been taken over, the password has been changed, and often 2FA has been enabled on the account to lock out the original user.

Clicking on malicious URLs is still one of the top risks for account takeovers. According to data from Fortra’s PhishLabs in Q2 2023, more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.  

What is Quishing? 

Quishing is merely an extension of these phishing attacks. Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack. 

How to Prevent Quishing Attacks

As with most IT challenges, there is no single answer. A holistic approach that covers people, process and technology will give organizations the best chance of mitigating these types of attacks.

Train Employees

As a high priority, employees should be trained to recognise malicious emails. Training should be ongoing and presented in bite-size modules that are easy to digest and learn from. This should be supplemented with testing/simulation to allow users to see what they have (or have not) learned, and how they can improve. Gamification of challenges and results can be used to engage and improve trainee performance.

It's important there’s a “no-blame” culture – if an employee receives a link (either real or simulated) and they click on it by accident and subsequently realise their mistake, they should feel empowered to notify and give security teams an opportunity to mitigate the risk without fear of repercussions. In a culture of blame, employees will attempt to conceal mistakes and this potentially leads to far greater consequences for the organization.

Reporting Process

Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly. 

Many organizations will encourage employees to report these emails but lack the resources or skills to investigate them effectively. If possible, subscribe to a service that specialises in suspicious email analysis and give employees an easy mechanism to report emails to this service. The service will then expedite emails to the security operations teams for remediation (for example, it might be necessary to retract known emails from all user inboxes). 

In addition, it’s important that the employee is also notified of the result of the analysis (positive or negative) and thanked for making the report. Engaging employees this way will make them more inclined to pay attention to what they are clicking on and report future suspicious emails.

Technology Prevention 

Email security systems should scan for known malicious URLs in incoming emails. Ideally the systems will combine a number of intelligence sources to automatically detect URLs that are known to be “bad” or present a suspicious pattern (for example, uses an IP address instead of a hostname). Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. In light of the quishing risk, this scanning should be extended to URLs which are encoded in QR codes.

Digital Risk Protection (DRP)

Another service to consider is a Digital Risk Protection (DRP). DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen. 

Close the Vulnerability Gaps

Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs, means that this attack vector is returning to the top of organizations’ agenda. However, with the right combination of training, processes, technology and services, organizations can reduce and manage this risk.

Conclusion

The threat of QR code phishing, known as Quishing, poses a significant challenge to organizations' cybersecurity. Adversaries are evolving their tactics, making it vital for organizations to adapt.

Preventing Quishing attacks requires a multifaceted approach, including employee training, reporting processes, and advanced email security systems. Combining these strategies, organizations can effectively mitigate the risks associated with this evolving threat.

Steve Jeffery is lead solutions engineer at cybersecurity software and services provider Fortra

Image: Pixabay

You Might Also Read: 

What Is The Difference Between Phishing, Smishing & Vishing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Domain Phishing: Antidotes In Today’s Market
The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

Cyber Pop-Up

Cyber Pop-Up

Cyber Pop-Up provide on-demand access to top security experts. No recruiting. No onboarding. No overhead costs.

Sygnia

Sygnia

Sygnia is a cyber technology and services company, providing high-end consulting and incident response support for organizations worldwide.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

iVision

iVision

iVision is a technology integration and management firm that engineers success for clients through objective recommendations, process and technology expertise and best-of-breed guidance.

Velum Labs

Velum Labs

Velum Labs is a cyber intelligence company that provides simple and non-intrusive, cloud and cyber intelligence solutions; built from a market-leading understanding of cyber-attack methodology.

Network Contagion Research Institute (NCRI)

Network Contagion Research Institute (NCRI)

NCRI provides pioneering technology, research, and analysis to identify and forecast cyber-social threats targeting individuals, organizations, and communities.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

ETI-NET

ETI-NET

ETI-NET is the worldwide leader in managing critical data for industries that never stop.