A new report from cybersecurity company Inky Technology Corp. released today highlights the emerging threat of Quick Response code phishing and the novel techniques cybercriminals employ to bypass traditional security measures.

QR codes were once considered a niche technology but, in part driven by the COVID-19 pandemic, have emerged as a popular tool in marketing, information sharing and contactless payments. Although simple to use, QR codes offer utility and ubiquity that have gained the attention of cybercriminals, who now exploit them for phishing campaigns.

The report covers how in a new iteration of phishing, attackers are now incorporating malicious QR codes into their phishing emails. The QR codes redirect users to phishing websites, effectively serving as a new vehicle for credential theft.

From the outset, it could be claimed that the use of QR codes in phishing may be a marginal evolution in the history of phishing. However, INKY’s researchers note that incorporating QR codes introduces unique complexities.

Leading the list is why people should pay attention is the use of image-based phishing tactics, which circumvent conventional text-based phishing filters. Cybercriminals are said to embed the phishing message as text within an image, which they attach to the email. Since most email clients automatically display these images, the potential victim may not realize they’re viewing a screenshot of text, not actual text.

The malicious QR codes and image-based messages are noted as being concerning due to their potential to bypass conventional security measures. Secure email gateways and similar security systems are designed to detect textual clues indicating phishing and are typically ineffective against image-based attacks.

When a user scans the malicious QR code, they’re typically redirected to a credential-harvesting website that resembles a legitimate service, such as those offered by Microsoft Corp., to enhance the phishing campaign’s credibility. Users are requested to enter their login credentials, and they remain unaware that the site is malicious and that cybercriminals are harvesting their credentials.

The INKY researchers argue that counteracting the threat of malicious QR codes requires a multifaceted approach that includes optical character recognition to extract text from attached images and artificial intelligence algorithms to detect these dangerous emails.

That said, they also note that technical defenses only go so far. User awareness and education are equally crucial and employees should be trained to inspect sender email addresses, avoid scanning QR codes from unknown sources, and exercise caution when entering personal or financial information on sites reached via QR codes.

Image: Bing Image Creator