Zero trust, Phishing, Email security

QR codes offer scammers another avenue to circumvent traditional email security

NEW YORK, NEW YORK – JULY 27: A QR code menu is seen on a table at Pizza Secret on July 27, 2021 in the Park Slope neighborhood of the Brooklyn borough in New York City. According to the National Restaurant Association, half of all full-service restaurants in America have added QR code menus since the start of the coronavirus (COVID-19) pande...

A recently discovered phishing campaign leveraged QR codes as a means to bypass malicious link detection mechanisms — and while this particular scam featured some fundamental flaws, the public’s increased use of “quick response” barcodes since the start of the pandemic may be behind their recent abuse in scams.

This use of QR codes in phishing activity is not an entirely novel concept, although Abnormal Security, whose researcher uncovered the campaign, did say that this campaign represented a bit of an evolution of the technique.

“We've seen actors use fake QR codes in the past — QR code images that are actual hyperlinks to a phishing site — and we've seen actors use QR codes out in the real world to try and get people to go to a malicious website, but this is the first time we've seen an actor embed a functional QR code into an email,” said Crane Hassold, director of threat intelligence at Abnormal Security.

The malicious phishing operation, which ran from Sept. 15 through Oct. 13, was disclosed not long after the Better Business Bureau posted its own QR scam alert last July. According to the organization’s warning, some weaponized QR codes are designed to redirect victims to an information or credentials phishing website, while others may trick users into launching a payment app or follow a malicious social media account. 

“These scams differ greatly, but they all have one thing in common. Scammers hope you will scan the code right away, without taking a closer look,” the alert stated.

Phishing scammers are constantly looking for avenues to elude solutions that scan for malicious URLs and attachments, including those employed by secure email gateways and other traditional email security solutions. QR codes are one such option — one that the BBB said it’s been encountering more of lately. And there are two reasons for that.

“First of all, they [QR codes] came back into widespread use due to the pandemic; having touchless options for menus, coupons, and other information helped reduce physical contact and the spread of the virus,” said Katherine Hutt, chief communications officer with the International Association of Better Business Bureaus, Inc. “In addition, virtually all cellphone cameras can now read QR codes without downloading a separate app. Scammers are opportunists; if we’re using QR codes, then of course they are using QR codes.”

And there’s a psychological component to this attack strategy, as well: “We just aren’t as careful about reviewing URLs on our phones as we are on our computers,” Hutt continued.

The QR-based phishing — or “quishing” — scheme detected by Abnormal Security attempted to collect Microsoft credentials, according to a company blog post written by threat intelligence analyst Rachelle Chouinard. The QR codes, in this case, purportedly gave the email recipient access to a missed voicemail.

“All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist,” stated the report. “In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.” The attackers send the emails from compromised Outlook accounts, and hosted the phishing pages by leveraging an enterprise survey service, plus Amazon and Google services.

“The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs,” Chouinard writes in the blog post. “It’s only by understanding that the account is compromised — combined with an understanding of the intent of the email — that this new and fairly innovative attack type can be detected.”

Fortunately, the campaign had a significant logic defect that likely reduced its efficacy: If you open up an email with your phone, what are you using to scan the imagine? “The practical aspects of getting a target to scan a QR code with a separate device seem to create a barrier that would result in a relatively low success rate,” said Hassold.

There are also tactics and technologies companies can employ to identify such scams when they surface.

“By looking at the emails in a more holistic and behavioral manner, these malicious messages can be identified, which is how Abnormal was able to detect them before they reached our customers' inboxes,” said Hassold. Indeed, Abnormal reported blocking nearly 200 emails featuring the malicious QR codes by sniffing out the use of compromised accounts and detecting potentially suspicious activity through the analysis of unique sender data and email content.

“We believe that because phishing is a human and machine problem, the only way to solve it is with a human and machine solution that leverages the power of AI on the machine side, combined with the power of highly targeted training for employees on the human side, added Eyal Benishti, CEO at Ironscales.

Benishti believes “computer vision” technology in particular would be useful for stopping these attacks. “QRs can be easily translated into a link and scanned by email security solutions with computer vision capabilities,” he explained, “so we feel it’s likely a seasonal attack that will diminish as solutions with computer vision are able to detect and thwart the potential attacks.”

“Education is the best preventative measure,” added Hutt, noting that the BBB recently launched a website to help people recognize common scams that they might encounter. 

“Remember, the topics change with whatever is current or in the news, but the tactics themselves are remarkably similar year after year,” Hutt continued. “Generally, scammers are pretending to be someone they are not in order to get money or personally identifiable information from you. If they steal your PII, they can sell it many times over, or they can pretend to be you in order to scam someone else.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.