By Philippe Cazaubon, Director, Southeast Asia and Korea, Barracuda
In Southeast Asia, Quick Response (QR) codes have become a key feature of everyday life. Particularly since the COVID-19 pandemic, we’ve continued to see bars and restaurants across the region ditch bacteria-harboring menus in favor of QR code stickers, and a steady uptick in the number of retailers of all shapes and sizes favoring cashless digital payments via QR code. And why not? These distinctive black-and-white two-dimensional bar codes are convenient and easy to use — even for the least tech-savvy among us.
So, what’s the catch? Unfortunately, as with any new technology trend, cybercriminals have figured out cunning ways to cash in, by exploiting people’s familiarity and confidence with QR codes, and perhaps their lack of knowledge around what these seemingly innocent little bar codes could be harboring.
Known as “quishing,” or “QR code phishing,” it is a form of phishing attack which sees cybercriminals embedding malicious links into QR codes to trick the victim into visiting malicious websites or downloading malware onto their devices.
Accelerating digital transformation through a future-proof workforce
How to prevent fake apps and Trojans from harming mobile customers
In May this year, the Cyber Security Agency of Singapore (CSA) and the Singapore Police Force (SPF) issued a warning to remind the public of the dangers of malicious Quick Response (QR) codes, after a woman unwittingly downloaded malware by scanning a QR code for a fake bubble tea survey, which resulted in hackers seizing SGD$20,000 from her account.
Meanwhile, in the Philippines, the government’s Anti-Cybercrime Group issued an advisory bulletin about the issue, which last year saw the country’s National Telecommunications Commission (NTC) order multiple telcos in the country to deactivate QR codes linked to fraudulent activities amid a surge in text scams.
These attacks are on the rise and pose a significant threat to users and organizations alike. And while quishing can take place in many ways, from QR code stickers pasted in public spaces, or via text scams and more, a large portion of these attacks are happening via email scam check.
Being aware of quishing email attacks
While there is some awareness about cyber hygiene when it comes to malicious links shared within phishing emails, what we find talking to customers in Southeast Asia is that there is still a notable lack of awareness when it comes to quishing emails. And though they work in much the same way as regular links, often involving social engineering tactics designed to exploit the trust that people often place in emails, the lack of awareness around quishing means they arguably have a higher chance of success when it comes to duping the user.
By scanning the QR code, the user is often led to a fake page resembling a trusted service, which then prompts the user to log in, in order to capture their credentials. In other instances, like in the case of the bubble tea victim, users are directed to fake surveys promising rewards or payments, aimed at collecting their personal information or worse.
Quishing email QR codes can also link to malicious websites, which automatically download malware onto the user’s device, and can range from spyware to ransomware, enabling data theft or device takeover. Hackers also use QR codes to open payment sites, follow social media accounts, and send pre-written emails from victims’ accounts, easily impersonating and targeting others in their contact directory.
How to beat quishing and avoid scanning the scam?
To beat them, you need to understand them. Quishing is tricky because it is difficult to detect using traditional email filtering methods. There is no embedded link or malicious attachment to scan, and email filtering is not designed to follow a QR code to its destination and scan for malicious content. Quishing is particularly dangerous because it shifts the actual threat to a different device that may not be protected by corporate security software.
Utilizing AI and image recognition technology is the best way to identify these attacks. Fake QR codes are typically not the sole indicator of a malicious email. AI-based detection examines various signals, including senders, content, image size, and placement, to determine malicious intent.
Beyond this, knowledge is power, and your workforce is your first line of defense. Incorporating quishing awareness into your security awareness training can ensure that your employees are well-informed and equipped to do their part in keeping themselves and your organization safe against these increasingly devious attacks.