QR codes, those ubiquitous black and white squares that promise instant access to websites, coupons, and menus, have become a staple of our digital lives. But lurking beneath their seemingly harmless exterior lies a growing threat: Quishing, a sophisticated phishing technique designed to steal your personal information and infiltrate corporate systems.
Quishing involves embedding malicious links within QR codes. These codes, when scanned, can direct you to fake websites that mimic legitimate ones, tricking you into entering your login credentials, credit card information, or other sensitive data. Hackers can then use this stolen information for identity theft, financial fraud, or even to launch further attacks.
Quishing alert: Experts advise caution when scanning QR codes
Experts sound the alarm as “Quishing” attacks skyrocket. Kern Smith, vice president of US pre-sales at Zimperium, observes a “rapid increase in targeted attacks on mobile devices, many of which are phishing attacks.” He explains, “Attackers know mobile devices are the most vulnerable to phishing,” making QR codes the perfect Trojan horse.
Reliaquest, a security company, reported a 51% surge in Quishing attacks compared to the previous eight months, attributed to widespread smartphone scanners and users’ uncritical scanning habits.
Shyava Tripathi, a Trelix researcher, emphasizes the threat’s seriousness. QR code-based attacks are nothing new, but they are becoming increasingly common in sophisticated campaigns targeting businesses and consumers.” Trelix alone discovered more than 60,000 malicious QR code patterns in just one quarter.
Steve Jeffery, principal solutions engineer at Fortra, highlights the Quishing challenge for organizations. “It represents a risk that can bypass existing security controls,” necessitating user awareness and caution. He cites data showing three-quarters of credential theft email attacks used malicious links, with “Quishing acting as an extension.”
Inquiry for Credentials
Mike Britton, CISO at Abnormal Security, reinforces the severity of the problem. His company’s data found QR codes in 17% of all attacks bypassing spam filters, with 80% targeting credentials. He explains, “Unlike traditional attacks, QR codes evade detection by containing minimal text and hiding URLs, making them ideal for bypassing traditional security tools.”
Embedded QR dangers
Randy Pargman, director of threat detection at Proofpoint, adds another layer of concern. Malicious actors leverage QR codes to access personal information on phones “that cannot be monitored by the security team,” making detection and mitigation particularly challenging for companies.
Nicole Carignan, vice president of strategic cyber AI at Darktrace, points to the evolving sophistication of crushing attacks. “Traditional solutions scan for malicious links in easy-to-access places,” she notes. “Hard image recognition techniques are needed to detect QR codes and their targets.”
Best Practices for QR Code Security
Carignan said Darktrace research has found that Quishing attacks often occur with highly personalized targeting and newly created sender domains, making the emails less likely to be detected by traditional email security measures that detect malicious activity.
When setting up two-factor authentication, most notifications require users to scan a QR code. Thus, attackers are now mimicking this process to circumvent traditional secure email solutions.
ALSO READ | Wi-Fi 7: Next Era of Connectivity is Said To Be Finalised in 2024
There are many technical solutions aimed at addressing potential QR-code-based attacks, but a simple rule may be sufficient for many individuals.
So, how can you stay safe in the age of Quishing?
Christopher Budd, head of the X-Ops team at Sophos, offers a simple rule of thumb: “Ask yourself: Could this QR code be published by an attacker somewhere?” If the source is unknown or suspicious, resist the urge to scan it.
Remember: Trust is key. Only scan QR codes from verified and reliable sources. When in doubt, opt for traditional methods like typing URLs or downloading apps directly from trusted stores.
By staying vigilant and informed, we can navigate the digital landscape safely and avoid falling prey to the hidden dangers lurking within those seemingly harmless squares.