QR code phishing: unmasking new tactics

Hiding the QR code within attachments

Having exhausted their options of how to mask the QR codes in the body of the email, some threat actors have resorted to attaching the code in .jpg, .png, or .gif files, which display the code once opened. Detecting this method requires advanced technologies that can scan the information contained in the attachment and analyse the social engineering techniques in the email body to identify it as malicious (Figure 3).

Aware of the growing capabilities of technologies to inspect attachments, cyber-criminals have begun to password-protect attachments, aiming to make it difficult for software to access the QR code within. It then becomes imperative that technologies take a holistic view of the email as a whole, taking into account the sender domain and the body of the email. In the below example, linguistic analysis picked up on the confidential and financial nature of the attachment, combined with the social engineering techniques leveraged to persuade the recipient to open the attachment (Figure 4). 

In another attempt to avoid detection, threat actors are attaching macro-enabled Excel files that automatically run various functions when opened. When the Excel attachment is clicked and opened, the macros automatically run the CONCAT function, which joins different cells in the spreadsheet. These cells all contain parts of a single URL that, once put together, form the malicious underlying link of the QR code. When the full URL is formed, another macro-enabled function will automatically generate a QR code from the link, as shown in the example created by our Threat Intelligence team below (Figure 5).

This is perhaps the most advanced obfuscation techniques cyber-criminals have utilised to mask QR codes because most detection technologies won’t be able to analyse the disjointed elements of the malicious URL or identify what macros are enabled (and ultimately what automatic functions will occur once the file is opened).

However, as many cyber-security leaders will agree, any macro-enabled file sent over email should be treated with caution and they may ring alarm bells to the recipient; especially since Microsoft now disables all macros and requires them to be manually enabled by the user. However, this only requires one click and individuals are likely to become desensitised to this – quickly and instinctively clicking the familiar ‘enable’ button when they’re working on autopilot.

Therefore, it’s important that organisations use detection technologies that utilise linguistic and attachment analysis in tandem, as it would likely flag this sort of email as malicious due to the combination of a suspicious file and social engineering techniques persuading the recipient to open the attachment.

As cyber-criminals produce more out-of-the-box ways to obfuscate their QR codes, the more suspicious they become to the recipient. Whether it’s experimenting with size, color, or embedding QR codes within password-protected or macro-enabled attachments, these increasingly complex techniques often serve as red flags to vigilant recipients, who are ultimately the ones who must scan them for the attack to be successful. The very act of obfuscation, intended to bypass detection technologies, tends to arouse suspicion and caution, reinforcing the importance of skepticism and critical evaluation of unexpected QR codes in emails.

Predictions on QR code payloads in 2024

As is the case with any new payload and obfuscation technique, we can expect to see fluctuations in popularity over time. James Dyer, Threat Intelligence Lead at Egress, predicts: 

“While we’re likely to see QR codes in phishing attacks for the time being, we anticipate that this may decline later in 2024. Following several unsuccessful attempts to mask QR codes from detection, cyber-criminals may pivot back to traditional phishing techniques or pursue new methods, meaning we may see less ‘quishing’ attempts targeting our inboxes. With that said, organisations must remain vigilant, ensuring they leverage sophisticated technology capable of detecting and neutralising malicious QR codes that persist in the threat landscape.”

Ultimately, the identification and prevention of ‘quishing’ and any associated obfuscation techniques requires organisations to employ advanced ICES software. 

Jack Chapman is SVP of Threat Intelligence at Egress. Egress Defend takes a holistic approach to detection, using AI and zero-trust models, including attachment scanning, and linguistic, contextual and behavioral analysis to detect and neutralise emerging threats like zero-day attacks and ‘quishing’.

Main image courtesy of iStockPhoto.com and AsiaVision