QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

QR codes have become increasingly popular, especially in the post-COVID-19 era as they have been used to foster connections. These codes provide convenient, contactless, and efficient ways to stay in touch and share information—for everything from marketing campaigns to restaurant menus.

Unfortunately, bad actors have exploited this new familiarity to compromise users. According to Abnormal data, 17% of all attacks that bypass native spam/junk filters use QR codes. This is especially concerning because QR code attacks can be difficult to detect due to their limited text content and heavy reliance on image attachments. This significantly reduces the amount of signals available to email security solutions to detect and extract information in order to catch an attack. To combat this threat, we are excited to announce the release of enhanced QR code detection capabilities.

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. These malicious QR codes often link to what appears to be a legitimate website, such as Google or Microsoft login pages, and prompt recipients to enter their login credentials. If entered, attackers can steal those credentials and use them to compromise additional services or launch additional attacks. According to internal data sources, credential phishing accounts for about 89% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

Real-World Quishing Attack Stopped by Abnormal

Let’s take a look at a real-world credential phishing attack that was stopped by Abnormal. In this attack, the threat actor crafted a phishing email prompting the recipient to scan a malicious QR code to reset the multi-factor authentication for their Microsoft account.

The QR code links to a malicious page posing as a legitimate Microsoft login page and encourages the recipient to log in to their account. If the recipient were to enter their login credentials, the attacker would be able to steal the credentials and compromise the account.

Abnormal detected this attack by analyzing behavioral signals and parsing the QR code. With its behavioral signals, Abnormal identified that this email was coming from an unusual sender and domain. With the QR code detector, Abnormal identified that the email contained a QR code with a suspicious link. The additional signals extracted from parsing the QR codes, combined with the behavioral analysis, puts Abnormal Security in the best position to detect these attacks.

QR codes can replace ‌links previously used in many types of link-based phishing attacks. Any solution that relies purely on the reputation of the domains in the emails cannot effectively detect these attacks without processing every image in every email, which would very quickly result in scaling issues.

A key distinction of Abnormal’s AI-native detection engine is its ability to utilize behavioral signals to detect anomalies seen in sender-related attributes, receiver-based attributes, and attachment or link-based signals. With this approach, Abnormal is able to detect thousands of QR code attacks per week without specifically detecting and parsing QR codes, including this quishing campaign detected in late 2021. However, we understand the severity of QR code attacks and are committed to improving detection, which is why we are excited to announce that Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. This applies to images as well as PDF Attachments. The signals extracted from QR codes will be ingested by the detection engine which strengthens its ability to detect malicious activity.

The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to combat the rise of QR code phishing attacks.

Why doesn’t Abnormal block all emails containing QR codes?

With QR code phishing attacks increasing in frequency, organizations may be tempted to seek solutions that block all emails containing QR codes. However, this isn’t an effective solution for a variety of reasons:

• Legitimate Usage: QR codes are deployed legitimately for easy access to information sharing. Blocking them unilaterally could lead to critical false positives, causing a disruption in business for users. Our data indicates, >50% of images with QR codes can be safe or legitimate business emails.

• Ineffective: Cyber threats are always evolving. Attackers can apply techniques like obfuscation and embedding QR codes within images to bypass a block filter.

• It’s Not That Easy: Scanning every email to identify and block all QR codes would consume significant amounts of processing and could cause delays in remediation. The combination of behavioral AI with the ability to parse QR codes ensures high detection efficacy without sacrificing the time to remediate.

As QR codes become increasingly commoditized, threat actors will continue to use them as a tool in their phishing campaigns. Today, attackers use malicious QR codes to impersonate legitimate QR codes that are often part of the process when adopting multi-factor authentication, as seen in the real-world attack above. Tomorrow, attackers might imitate legitimate QR codes used in file sharing, invoice payment, or marketing emails to gain further access to an organization’s sensitive data and finances. To prevent these advanced attacks, Abnormal will continue to invest resources to strengthen its detection engine, which now analyzes tens of thousands of signals provided by its behavioral AI and QR code parsing to identify quishing attacks.

Interested in seeing the Abnormal solution to the email security problem? Schedule a demo today.