A new phishing campaign has been detected that uses QR codes to hide the hyperlink to a phishing webpage. Not only does this tactic bypass security solutions that search for potentially malicious URLs, by using a QR code the recipient must switch from the business network to their mobile phone to view the document.
The corporate network may have a web filter, sandboxes, and other cybersecurity protections to prevent users from visiting phishing websites. Mobile devices on the other hand usually have little to no security to protect against phishing attacks, so it will be unlikely that the phishing website will be detected as malicious. The aim of the campaign is to obtain login credentials for AOL, Microsoft and other accounts.
Not only does this tactic bypass security protections, the original email was work-related so it is highly likely that when the user logs in, they will do so with their corporate account credentials. That will give the hackers access to a much more valuable account.
The campaign starts with an email claiming to be a SharePoint collaboration request. The email has the subject line, “Review Important Document,” but instead of an attachment, there is an image containing a QR code that the recipient must scan in order to view the document. The email contains the branding for Cofense to add legitimacy to the request.
Cofense detected an analyzed the campaign. If the code is scanned, the user will be directed to a SharePoint-related website. The website has been optimized for mobile devices and users are requested to sign in with their preferred account. Any information entered will be captured by the attackers.
This is not the first time that hackers have used QR codes to fool security solutions. A similar campaign was detected by VadeSecure in 2016 which similarly was able to evade detection by not giving security solutions a URL to assess. The tactic, known as QRishing, was first described in 2012 in a study by Carnegie Mellon University’s Cylab which explored the vulnerabilities of smartphones to QR phishing attacks.
With security solutions struggling to detect these emails as malicious, it is important for this type of phishing attack to be covered in security awareness training sessions and cybersecurity communications.