Phishing campaigns using QR Codes on mails to evade URL scans

All URL-detecting security measures are being avoided by criminals delivering malicious QR codes to victims' mobile phones as part of phishing campaigns

QR codes are now being used in various phishing attack campaigns as a way to evade URL analysis, said a security research report.

Security researchers at Cofense, who spotted this, noted that these particular types of phishing campaigns use simple emails to hoodwink URL analysis. The body of the messages used a few basic HTML elements and an embedded GIF of a QR code, effectively disguising it as a SharePoint email. 

"The email itself is relatively simple. It poses as a pseudo SharePoint email with the subject line: ‘Review Important Document’. The message body invites the victim to: "Scan Bar Code To View Document". The only other visible content is a tantalising QR code that a curious user may be tempted to scan," said the report.

When decoded, the QR code showed a phishing URL. "Very basic, but very effective," said the report.

Most of the email service providers have a set of efficient security scanners that wrap or scan embedded URLs and weed out malicious links. However, these technologies are effective only if they are able to locate the URLs in the first place. Here, victims scan the QR code with their mobile phones, bypassing all these security measures. 

"By enticing the victim to pull out their smartphone and scan the QR code the attacker manages to evade standard corporate security controls. Secure email gateways, link protection services, sandboxes, and web content filters no longer matter because the user is now interacting with the phishing site in their own security space: their mobile phone," the report said.

Most QR code scanner apps in the smartphones will instantly redirect the user to the malicious website via the phone’s browser. In this particular instance, the victims were redirected to a SharePoint branded phishing site, giving them options to sign in with AOL, Microsoft, or ‘other’ account services. 

"While this sounds like a simple phish, there is a more nefarious tactic in play: removing the user from the security of a corporate business network," the report said.

The presence of QR code make the entire process faster and easier, said Jake Moore, cyber-security specialist at ESET. "This is a very clever advancement on a classic phishing technique where it takes the victim away from their company’s cyber- protection and onto their personal phone which is usually a problem for the threat actors. It does, however, still require the target to enter their password and other details, which good staff training should tackle," he said.

The convenience of scanning and linking using the smartphone makes it easier to con many, said Ed Williams, EMEA director at Trustwave’s SpiderLabs. His company has executed many QR code test campaigns similar to the present one. 

"We look to entice a ‘victim’ into scanning our QR code and then redirect the user to the website with our malware. This technique is part of a wider project and is a really useful attack vector that people are not so aware of, giving us the upper-hand," he said.

Trust factor also plays a major role. SophosLabs last year detected seven QR code reader apps with adware that potentially compromised 500,000 users. Malicious actors uploaded the malware laced versions to Google Play, the trusted place for Android app downloads. Authentic-looking mails were the hook in this latest campaign.

Scammers have been found exploiting QR codes for years. "It is known that today a lot of mobile malware (especially SMS Trojans) is spread via sinister websites where all software is malicious. And cyber-criminals have started to use malicious QR codes for users’ convenience," warned a Kaspersky report in 2011.

"Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it," it said.

A QR code in itself is unable to store an executable virus, but it can definitely lead the user to malicious internet content. It is impossible for a person to read the content of the code, and scanning a random QR code is similar to blindly clicking on a link on your personal computer.  

According to Cofense, such phishing attacks that hoodwink scanning technologies can be stopped by "an informed, in-tune human".Trustwave’s Williams and ESET’s Moore agrees.

"Placing a QR code on a target machine is essentially like dangling a carrot in front of a victim, but we must stay vigilant of the potential of what they are capable of. But once people open the link on their phone they should realise that it is a rogue and misleading URL," said Moore.

Tweaking QR codes will only work with accounts that aren’t protected by two-factor authentication, he said. He added that the quickest defence for someone who hasve accessed the malicious link within the QR code is to immediately change their password for that account.

The same rule applies to ‘un-trusted’ emails said Williams. "Be very, very careful what you click on or scan. Also, make sure that your devices are up-to-date, give yourself a chance of being safe on-line by applying the basics."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews