A significant phishing campaign employing QR codes has recently come to light, with a major US-based energy company as one of the primary targets.
The campaign, which began in May 2023, has witnessed a 2400% surge in volume since then, underscoring the urgency of addressing this emerging threat.
Cybersecurity company Cofense has been closely monitoring this campaign. In an advisory published on Wednesday, the company said that over 29% of the malicious emails, numbering more than 1000, were directed at the energy sector giant. Other industries also fell victim, with manufacturing, insurance, technology and financial services companies accounting for a combined 37% of the attacks.
The attackers’ modus operandi involves sending emails masquerading as Microsoft security notifications. These emails contain PNG or PDF attachments, enticing users to scan QR codes purportedly for enhanced security measures.
While QR codes have traditionally been seen as a limited attack vector due to user interaction requirements, the malicious actors have ingeniously utilized them to bypass security measures and increase the likelihood of successful phishing attempts.
“This is a worrying campaign that demonstrates how criminals are testing the use of QR codes to make phishing scams appear more realistic,” said My1Login CEO, Mike Newman.
“When people receive these emails, they are more likely to fall for them because QR codes won’t contain the typical signs, such as spelling and language errors, that an email could be suspicious. It’s also a novel attack vector that users are unlikely to be aware of.”
In fact, the QR codes embedded in the emails redirect users to seemingly legitimate domains, such as Bing and Salesforce, which have been weaponized to carry out the attacks.
Read more on QR code security: QR Codes: A Growing Vulnerability to Cybercrimes
Cofense recommended a multi-faceted approach to combat this new wave of attacks. Employing QR code scanners and image recognition technology can serve as an initial line of defense, but user education remains paramount.
“Not all security controls can identify malicious QR codes. Not all organizations are even aware this may be a method that the malicious actors can leverage to breach their security portfolio,” explained Avishai Avivi, CISO at SafeBreach. “Evading security controls can represent a significant risk to organizations that assume their security controls are sufficient.”
Encouraging employees not to scan QR codes from unsolicited emails can therefore play a pivotal role in safeguarding corporate and individual security. As this campaign showcases the evolving tactics of cyber-criminals, swift adaptation and robust defenses are crucial to thwart future attacks.