By Roy Maurer
A workplace phishing campaign armed with malicious QR codes has been spreading for months, according to the cybersecurity firm that uncovered it.
The campaign, discovered by Cofense in May, spoofs Microsoft security alerts directing employees to update their account’s security settings. The QR codes and redirect links send users to a phony web page to steal their Microsoft credentials.
Cofense reported that the campaign targeted multiple industries, including a major unnamed U.S. energy company. The volume of the campaign has increased by more than 2,400 percent since May and is still ongoing.
Evidence suggests QR code phishing attacks have escalated since the COVID-19 pandemic.
“Following the pandemic and scanning QR codes at restaurants, people have become very comfortable with scanning QR codes, don’t think twice about it and don’t fully grasp the risk associated with a malicious QR code,” said Linn Freedman, a partner in the Providence, R.I., office of law firm Robinson and Cole and chair of the firm’s Data Privacy and Cybersecurity Team.
She added that “it is important to understand that just like malicious code embedded in a link or an attachment in an email or text—which we have been trained not to click on—a threat actor can embed malicious code into a QR code with the same results.”
QR codes in phishing emails are not typical. It’s awkward, said Stu Sjouwerman, CEO of KnowBe4, a security awareness training provider in Tampa, Fla. “Despite this lack of reasoning as to why this should work, we see that this type of social engineering works anyway, otherwise the cybercriminals wouldn’t be using this method.”
But the advantage for cyberthieves is that QR codes can more easily bypass secure email gateways, which aren’t able to scan the image the way they scan suspicious links.
These types of attacks are insidious for a couple of obvious reasons, Sjouwerman said.
“I’m not aware of any security solution that can follow a QR code-based URL to determine if the resulting URL is malicious or not,” he said. “And it shifts the actual threat action to another device [the employee’s mobile phone]—specifically one that has far less protections than a user’s endpoint.”
The Bottom Line
Educating employees is the best defense against any type of phishing. “Employees must be trained not to scan QR codes, received by email or text, and to alert the IT department if one is received,” Freedman said. “Everyone should treat QR codes with a high degree of suspicion, just like a suspicious text or email.”
Employees should follow the same basic guidelines to minimize the risk related to more traditional phishing attacks, including being alert to messages requiring urgent action; confirming with the purported source of the message if it seems suspicious; previewing the QR code’s URL to see if it appears legitimate; and not entering personal information or login credentials to unfamiliar pages.
