A cybersecurity company has detected a phishing campaign that uses malicious QR codes to try to steal organizations’ data.

Cofense Inc., the Virginia-based email security provider that spotted the campaign, detailed its findings in a Wednesday blog post. The company sells software that helps enterprises protect employees from phishing attempts. Cofense was known as PhishMe Inc. until 2018, when it was acquired by an investor consortium at a $400 million valuation.

The phishing campaign that the company discovered began this past May. According to Cofense, the hackers behind the campaign have been targeting users with emails designed to mimic Microsoft Corp. security notifications. Their aim is to trick recipients into divulging the login credentials associated with their Microsoft accounts.

A typical phishing email includes a link to a malicious website operated by the hackers. In this campaign, the messages substitute the link for a QR code. The email text asks recipients to scan the code using their mobile devices.

“Cofense has not historically seen large malicious campaigns utilizing QR codes,” Nathaniel Raymond, a member of Cofense’s threat intelligence team, wrote in the company’s blog post. “This may indicate that malicious actors are testing the efficacy of QR codes as a viable attack vector.”

The company analyzed more than 1,000 emails that were sent as part of the phishing campaign over the course of six months. According to the software maker, about 300 of those emails targeted a single organization described as a “major energy company based in the U.S.” About 15% of the messages were sent to manufacturers, while the insurance, technology and financial services sectors rounded out the list of the most targeted industries.

Malicious QR codes can be difficult to spot because they encode a phishing link in a visual form, while email security tools are mainly designed to detect standard links. Furthermore, hackers can embed a malicious QR code in another file such as a PDF document to create an additional layer of obfuscation. That makes it even more difficult for organizations to spot phishing attempts.

But while malicious QR codes might bypass a company’s email security software, their effectiveness is limited. The reason is that mobile devices display the link to which a QR code leads after the user scans it. As a result, users have an opportunity to review what website they’re about to visit before opening it.

The phishing campaign spotted by Cofense uses redirect links to try to avoid detection. A redirect link is a kind of placeholder URL that leads the user to another website immediately after it’s clicked. Such placeholder URLs can make a malicious QR code more difficult to spot. 

According to Cofense, most of the redirects employed by the phishing campaign used links that began with “bing.com.” The hackers also used several other domains including two that are associated with Salesforce Inc. and Cloudflare Inc. services.

The phishing campaign appears to be increasing in scale. According to Cofense, the volume of malicious QR codes sent by the hackers has been rising at an average month-over-month growth rate of 270% since the campaign began in May. 

“While automation such as QR scanners and image recognition can be the first line of defense, it is not always guaranteed that the QR code will be picked up,” Raymond wrote. “Therefore, it is also imperative that employees are trained not to scan QR codes in emails they receive. This will help ensure that accounts and businesses security remain safe.”

Image: Unsplash