Researchers are predicting that cybercriminals will employ email-based quashing attacks as a means of stealing data from users. Several quishing campaigns are known to have been large, long-running, and dynamic, based on attack cadence and variations within the lures and domains featured in the messages used by the campaigns.
A study released by the Global State of Mobile Phishing Report recently raises some sobering insights into the widespread use of mobile phishing attacks. The report noted that over 50% of the personal devices used by employees of a company had been hacked every quarter, which is an astounding number.
Technology is constantly evolving to make users' personal and professional lives more convenient in the era of digital technology, as the usage of technology gradually increased over the years. One of the advancements that have made life easier for consumers has been the Quick Response (QR) code. The user can either share the URLs of websites and contact information, or they can pay with this two-dimensional barcode which is easy to read.
In addition to improving our daily lives, QR codes have also created new avenues for cybercriminals to exploit, which has made it easier for them to steal information. This method of phishing is also known as quishing and poses a significant threat to individuals and organizations alike. QR codes are phishing attacks that have been on the rise for years.
Even though "squishing" sounds all cute and squishy, it's a serious practice that has to be taken seriously. A QR code can be obtained by generating a fake email that contains a QR code that is inserted into the email, and then sending it to a person as a phishing email.
In an attempt to trick the recipients of an email attack into visiting malicious websites or downloading malware onto their devices, hackers use QR codes embedded in the email to trick them. Social engineering tactics are usually used in these kinds of attacks to exploit the trust that people place in emails because they often put their trust in them.
Recent findings regarding the effectiveness of mobile phishing attacks have been released in the Global State of Mobile Phishing Report. Over half of a company's employees' devices are exposed to phishing every few weeks, and at least one-third of those are not even aware that it is happening.
Additionally, there was a seven-fold increase in the number of QR code phishing reports in Q2 of 2022. Many industries are targeted by these types of attacks, including insurance, legal, financial, and healthcare. A high level of regulation is enforced in these industries as a result of the sensitive and valuable nature of their data. As a result, they are a good target for cybercriminals as they are easy to reach.
Increasingly, QR codes are appearing everywhere: they are in restaurants, mass vehicles, commercials, signs, walls, bathrooms, advertisements on billboards and posters; and even companies are shipping their products with QR codes so that consumers can access the manual via their phones.
There are two main ways that criminals are attempting to quench attacks at the moment: they send targets a QR code via email and then try to crack it. In many cases, those emails are simply a call to action for users to verify their accounts and to act within a specific time frame otherwise their accounts will be locked or closed. A QR code would be inserted into an email on a desktop computer by the user, and once scanned, it would cause havoc on the computer.
Using traditional email filtering methods, it is hard to detect QR code attacks since there are no embedded links or malicious attachments to scan. In addition, email filtering is not designed to follow a QR code to its destination to look for malicious content. The threat is also moved to another device which is more likely not to be protected by corporate security software, as well as shifting the actual threat to another device.
Detecting these attacks can be done using artificial intelligence and image recognition technology. Fake QR codes are usually not the only sign that a malicious email is being sent. In addition, AI-based detection will take into account other signals as well - such as the sender's name, the content, the size, and the placement of images – to determine whether a message is malicious. To detect and prevent QR code scams, Barracuda Impersonation Protection will employ several techniques, as well as others.
Currently, there are many quashing attacks targeting individual consumers, but enterprises, as well as their employees, are also at risk of squishing attacks. Researchers from HP and Abnormal Security discovered, in particular, that email-based QR phishing campaigns, like those uncovered by the researchers, could be used to steal credentials or spread malicious software to business accounts.
Fraudulent QR Code Signs
Receivers need to pay close attention to the labels on the quashing codes to see that these codes are marked. These include:
- There are several errors on destination websites, including spelling errors, poor-quality images, and inadequate design.
- Rather than beginning with HTTPS, a URL starts with HTTP.
- The true destination site is hidden by short URLs that are unreadable.
