Understanding The Threat Of QR Codes & Quishing

Uploaded on 2023-10-16 in TECHNOLOGY--Resilience, FREE TO VIEW

Most organizations have security controls in place to inspect URLs in emails to prevent the risk of credential phishing and business email compromise (BEC) attacks. However, adversaries have pivoted their tactics in order to bypass these controls.

Is your organisation ready to adapt to this new challenge?

Unwanted Emails

Organizations have been dealing with unwanted emails for over 20 years. They must find a balance between letting genuine business emails enter the organization and preventing unwanted emails from reaching inboxes. This is easier said than done when the methods used by adversaries are constantly evolving. 

Quishing (QR code phishing) is currently high on the agenda for many organizations as it represents a risk that can bypass existing security controls, therefore the protection relies on the recipient fully understanding the threat and not taking the bait.

How Phishing Works

Attackers attempt to steal login credentials or other useful information from employees by setting up fraudulent websites that mimic the ones they use for their daily activities. For cloud services, it’s relatively easy to convince an employee that they need to enter their organization’s credentials in order to access a website from a URL they have received.     

If an attacker can entice an employee to visit a fraudulent website and enter their credentials, then the attacker can immediately use those credentials to gain access to the organization’s IT resources.

This process can even be automated, so that within seconds of the credential being given, the account has been taken over, the password has been changed, and often 2FA has been enabled on the account to lock out the original user.

Clicking on malicious URLs is still one of the top risks for account takeovers. According to data from Fortra’s PhishLabs in Q2 2023, more than three-quarters of credential theft email attacks contained a link pointing victims to malicious websites.  

What is Quishing? 

Quishing is merely an extension of these phishing attacks. Instead of a hyperlink to a fraudulent or malicious website, the attacker uses a QR code to deliver the URL. Since most email security systems are not reading the contents of the QR codes, it is difficult to prevent the ingress of these messages, hence the rise in the prevalence of this type of attack. 

How to Prevent Quishing Attacks

As with most IT challenges, there is no single answer. A holistic approach that covers people, process and technology will give organizations the best chance of mitigating these types of attacks.

Train Employees

As a high priority, employees should be trained to recognise malicious emails. Training should be ongoing and presented in bite-size modules that are easy to digest and learn from. This should be supplemented with testing/simulation to allow users to see what they have (or have not) learned, and how they can improve. Gamification of challenges and results can be used to engage and improve trainee performance.

It's important there’s a “no-blame” culture – if an employee receives a link (either real or simulated) and they click on it by accident and subsequently realise their mistake, they should feel empowered to notify and give security teams an opportunity to mitigate the risk without fear of repercussions. In a culture of blame, employees will attempt to conceal mistakes and this potentially leads to far greater consequences for the organization.

Reporting Process

Employees should have a clear process for reporting any suspicious emails they receive. These emails need to be evaluated by security experts, and if a risk is identified, it needs to be mitigated quickly. 

Many organizations will encourage employees to report these emails but lack the resources or skills to investigate them effectively. If possible, subscribe to a service that specialises in suspicious email analysis and give employees an easy mechanism to report emails to this service. The service will then expedite emails to the security operations teams for remediation (for example, it might be necessary to retract known emails from all user inboxes). 

In addition, it’s important that the employee is also notified of the result of the analysis (positive or negative) and thanked for making the report. Engaging employees this way will make them more inclined to pay attention to what they are clicking on and report future suspicious emails.

Technology Prevention 

Email security systems should scan for known malicious URLs in incoming emails. Ideally the systems will combine a number of intelligence sources to automatically detect URLs that are known to be “bad” or present a suspicious pattern (for example, uses an IP address instead of a hostname). Once an unwanted URL is detected, the delivery of the email is either completely prevented, or the URL is removed from the email or attachment, effectively “disarming” it before delivery. In light of the quishing risk, this scanning should be extended to URLs which are encoded in QR codes.

Digital Risk Protection (DRP)

Another service to consider is a Digital Risk Protection (DRP). DRP monitors the Internet for websites used in credential theft phishing and takes them offline. This is a proactive service that reduces risk and prevents phishing attacks before they can happen. 

Close the Vulnerability Gaps

Malicious URLs have been a concern for several years, but the combination of the rise in credential theft phishing attacks, and the ease of creating and using QR codes with embedded malicious URLs, means that this attack vector is returning to the top of organizations’ agenda. However, with the right combination of training, processes, technology and services, organizations can reduce and manage this risk.

Conclusion

The threat of QR code phishing, known as Quishing, poses a significant challenge to organizations' cybersecurity. Adversaries are evolving their tactics, making it vital for organizations to adapt.

Preventing Quishing attacks requires a multifaceted approach, including employee training, reporting processes, and advanced email security systems. Combining these strategies, organizations can effectively mitigate the risks associated with this evolving threat.

Steve Jeffery is lead solutions engineer at cybersecurity software and services provider Fortra

Image: Pixabay

You Might Also Read: 

What Is The Difference Between Phishing, Smishing & Vishing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Domain Phishing: Antidotes In Today’s Market
The Expensive Costs Of HIPAA Noncompliance & How To Avoid Them »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Sophos

Sophos

Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyberthreats.

NETAS

NETAS

Netas offers solutions in information and communication technologies including end-to-end value added solutions, system integration and technology services to providers and corporations.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

S2T

S2T

S2T builds cyber intelligence solutions based on deep expertise in diverse domains such as intelligence, machine learning and AI, big data processing, statistics and linguistics.

ArcRan Information Technology

ArcRan Information Technology

ArcRan concentrates on developing comprehensive cybersecurity solutions for smart city applications. We believe that cybersecurity is the fundamental enabler of IoT development.

VikingCloud

VikingCloud

VikingCloud (formerly Sysnet Global Solutions) offers organizations an integrated cybersecurity and compliance solution to make informed, predictive, and cost-effective risk mitigation and prevention

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

NetApp

NetApp

The NetApp portfolio includes intelligent cloud services, data services, and storage infrastructure that helps organizations manage applications and data everywhere across hybrid cloud environments.

Buguard

Buguard

Buguard is a multi-award-winning supplier of Application Security Assessments and GRC services.

DataGuard

DataGuard

DataGuard is a security and compliance software company trusted by organisations across the globe.

StrongDM

StrongDM

StrongDM is the leader in Zero Trust Privileged Access Management (PAM).

Staris

Staris

Human based defense is dead. Staris is reinventing application security for an increasingly AI driven world.

EpicCyber

EpicCyber

Since 2011, Epic Cyber has pioneered the integration of enterprise cloud technology.

ALSO Group

ALSO Group

ALSO is one of the leading technology providers for the ICT industry currently active in 31 countries in Europe and in many countries worldwide via PaaS (Platform as a Service) partners.

Maximus

Maximus

Maximus is a trusted service delivery partner and architect of government technology solutions, we empower communities by ensuring seamless and equitable access to government services.