Quishing: an evolving threat

Daphne Frik

24 June 2024

Cyberattacks are continuously evolving, adapting to new trends and developments. The ongoing changes in QR code phishing, or quishing, show us that it is important to be observant and to not heavily rely on our email security systems.

Quishing, which leverages Quick Response (QR) codes to lure users to malicious websites, is becoming increasingly popular among cybercriminals, according to a report on email security from Check Point Research. The researchers found an increase in quishing attacks of 587 percent between January and March of this year, and 363 percent between April and May.

How quishing works

Quishing involves embedding malicious URLs within QR codes. When scanned with a smartphone or tablet, these codes direct users to fraudulent websites designed to steal personal information, login credentials, or install malware. Unlike traditional phishing attacks, which rely on deceptive emails or websites, quishing capitalizes on the growing use of QR codes for legitimate purposes such as advertising, payments, and information sharing.

However, quishing takes place through emails as well. Instead of sending a text-based link, attackers will add QR codes in emails to lure users to malicious websites, for example by prompting them to re-authenticate their multi-factor authentication.

The rise of quishing

Several factors have contributed to the rise of quishing:

  • Increased use of QR codes: The COVID-19 pandemic accelerated the adoption of QR codes, especially in contactless transactions and digital menus in restaurants. This widespread use provides ample opportunity for cybercriminals to exploit.
  • User trust: Many users implicitly trust QR codes, often scanning them without a second thought. This trust is a double-edged sword, making it easier for quishing attacks to succeed.
  • Difficulty in detecting malicious codes: Unlike traditional URLs, which can be scrutinized for legitimacy, the contents of a QR code are not immediately visible. This obscurity makes it challenging for users to identify malicious codes before scanning them.

Quishing 2.0 & 3.0

After these standard MFA authentication requests, quishing evolved to conditional routing and custom targeting. Now, researchers have found a new evolution, which focuses on the manipulation of QR codes. In this campaign, attackers create QR codes with HTML and ASCII characters, rather than placing the QR code in an image, with the idea of bypassing OCR engines. Using HTML and ASCII characters can lead security systems to ignore the email, as they might not be able to recognize the QR code as such.

How to avoid quishing attacks

To combat the threat of quishing, individuals and organizations need to adopt a proactive approach:

  • Education and awareness: Educating users about the risks associated with scanning QR codes is crucial. Users should be advised to scan codes only from trusted sources and verify the legitimacy of the source before scanning.
  • Verification tools: Organizations can deploy tools that verify the destination of QR codes before they are scanned. Mobile security apps that offer QR code scanning features with built-in threat detection can also help.
  • Secure deployment of QR codes: Businesses should ensure that their QR codes are secure and not easily tampered with. This includes using dynamic QR codes that can be updated regularly and employing measures to prevent unauthorized access to the physical codes.
  • Monitoring and response: Continuous monitoring for unauthorized or malicious QR code activity is essential. Incident response plans should be updated to address quishing attacks specifically.

The future of quishing

The evolvement of quishing threats underlines the importance of not merely relying on email security systems, and individuals and companies alike will need to prioritize education, awareness, and monitoring while email scanners and anti-virus software take their time to adapt to the evolving threats. Whether quishing will become a bigger problem in the near future remains to be seen, but it is undeniable that all kinds of phishing are becoming smarter, and advanced AI will need to play a large role in tackling these threats.