QR Code Scammers are Changing Tactics to Evade Detection – Source: securityboulevard.com

Check Point researchers last year saw a 587% increase between August and September of phishing attacks enticing unsuspecting targets to click on QR codes that then redirect them to malicious pages used for harvesting credentials.

The cybersecurity firm’s report was one of several last year that talked about a rapid rise in such QR code-focused phishing – or quishing – campaigns. The nonprofit National Cybersecurity Center in January 2023 warned that QR scams were growing as the popularity of QR codes expanded over the past few years. The organization noted that attackers are using everything from parking meters to cyptocurrency wallets to romance scams to convince people to click on malicious QR codes.

The Federal Trade Commission last month issued its own warning, noting the ubiquitous nature of the codes, adding that “there are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information.”

Hoxhunt and SlashNext also wrote about the rise in the number of attacks and variations of the malicious uses of QR codes.

Fueling the growing use of QR codes – and thus scams using them – include the continued rise in the use to mobile devices, the widespread use by businesses of QR codes during the pandemic, and how easy it is to use the codes.

Adapting to Defenses

In a report this week, Jeremy Fuchs, cybersecurity researcher and analyst at Check Point, wrote that while QR code scams are “fairly simple,” they are “successful as many email security solutions didn’t have QR code protection and many end-users are used to scanning QR codes.”

In response to the sharp rise in quishing attacks last year, cybersecurity vendors pushed out new tools for organizations and individuals to protect themselves.

Scammers in turn are adapting their attacks to get around such protections and increase the likelihood that more people will click on their QR codes. Over a two-week period this month, Check Point 20,000 attacks that use an slightly different method, Fuchs wrote.

Like the attacks detected last year, the goal was to use lures in emails to get users to scan the attacker’s QR code, which would then redirect the user to a page used to harvest the victim’s credentials.

“In these [new] attacks, hackers are utilizing QR code in a different way,” he wrote. “The initial ask is similar, but where the redirection chain goes is quite different. In short, the link looks for where the user is interacting with it and adjusts accordingly. If the user is using a Mac, one link appears. If the user is using an Android phone, another one pops up.”

New Methods, Same Goals

The end goal hasn’t changed, Fuchs wrote. The bad actors still want to install malware on the victim’s device – such as PC or a mobile phone – and steal credentials. However, “by adjusting the destination based on how the end-user is accessing it, the rate of success is much higher,” he added.

According to the research by Harmony Email and Collaboration, a unit within Check Point, scammers are running business email compromise (BEC) campaigns and social engineering techniques in emails sent to targets. It starts like most quishing attacks, sending an email to potential victims asking them to look at an annual 401K contribution statement by scanning the QR code, promising it will give the victim their account balance for the year.

The link in the emails are the same, but the QR code has a conditional destination point that is based on characteristics of the technology the victim is using, including browser, device, screen size, and software. Based the information, the QR code will direct the user to particular pages.

“Essentially, there are four layers of obfuscation,” Fuchs wrote. “One is the QR code itself. The URL embedded within the QR code looks like it’s going to a domain of Apple’s, but is instead redirected elsewhere. Then there’s a blind redirect to another domain.

The domain will automatically check to see if the user’s device is using a browser or scanning engine and accordingly will redirect to a particular page. In addition, “there’s also a payload in there that has anti-reverse engineering techniques so that if you try to de-obfuscate it, it would consume infinite resources,” he wrote.

Some Differences in the Emails

There are variations in the campaign. For example, one embeds the QR code in a PDF attached to the email and will lead the victim to a fake Microsoft login page. Another embeds the QR code in the email message

“In all of these, the link in the QR code and the link that it redirects you to are different,” Fuchs wrote.

Redirection in quishing campaigns – as well as other kinds of attacks – isn’t new, but with the conditional redirection, the hackers can grow their chances of succeeding because default layers of security typically will look at a redirection and let it go if it’s clean.

The key is having a cybersecurity solution that looks at multiple layers, he wrote. An email security solution can block an attack by detecting suspicious behavior like the email coming from a first-time send and analyzing the text. Browser security tools will inspect the website and block it if necessary, mobile security will block the attack if the QR code is scanned, and anti-malware software will emulate the file to determine what will happen.

“These attacks are difficult to stop because they compromise so many different layers,” Fuchs wrote. “Have all the layers, though, and the ability to stop the attack increase.”