Phishing campaign exploiting QR codes targets a major US energy company

A research team from notable cybersecurity firm Cofense has discovered a sophisticated phishing campaign strategically targeting a prominent energy company based in the United States.

 

According to a report by Cofense, this orchestrated attack employs a novel approach, utilizing QR codes to infiltrate unsuspecting victims’ inboxes and circumvent traditional security measures. The targeted energy company remains unnamed by Cofense.

 

Approximately 29% of the 1,000 malicious emails traced back to this campaign were directed at a significant US energy company. The remaining attacks were distributed across various sectors, including manufacturing (15%), insurance (9%), technology (7%), and financial services (6%).

 

This campaign marks a notable departure from conventional phishing tactics, as Cofense highlights that it is the first recorded instance of QR codes being leveraged at such a scale. The incorporation of QR codes into phishing emails suggests a potential shift in cybercriminal strategies, with attackers seeking to test the efficacy of this new attack vector.

 

The attack begins with deceptive phishing emails, masquerading as urgent messages related to Microsoft 365 account settings. These emails contain attachments in the form of PNG or PDF files, each containing a QR code that prompts recipients to scan it for account verification. The emails emphasize a narrow timeframe of 2-3 days, adding an element of urgency to manipulate recipients into taking immediate action.

 

The ingenious use of QR codes embedded within images allows attackers to bypass conventional email security protocols to detect known malicious links. This clever evasion technique enables phishing messages to land in the recipient’s inboxes. To further complicate detection, the QR codes employed in this campaign exploit redirects through reputable platforms like Bing, Salesforce, and Cloudflare’s Web3 services, ultimately leading victims to a counterfeit Microsoft 365 login page.

 

The attackers can sidestep detection and subvert email protection filters by concealing the redirection URL within the QR code, abusing legitimate services, and utilizing base64 encoding for the phishing link.

 

While QR codes have been exploited in smaller-scale phishing attempts, including instances in France and Germany, their incorporation into a larger, more organized campaign signifies a worrisome evolution in cyberattacks. QR codes have also been weaponized to direct unwitting individuals to fraudulent websites that steal personal and financial information.