Quishing is out there

Rui Serra By Rui Serra • November 14, 2023

Attackers are relentlessly targeting emails. And recently, they are exploiting the fragility of QR Codes and Password-reset operations. The reduction of the risk posed by unique phishing attacks requires a combination of end-user education and adherence to best practices.

Attackers are now using emails tailored to correspond with business needs and processes. For instance, there is a noticeable increase in "quishing" – phishing based on QR codes – especially the ones designed specifically to reset two-factor authentication codes.

As we acquire new phones and redeploy multifactor applications, attackers exploit QR codes leading to websites that persuade users to enter their credentials. Education becomes a key defense strategy, enlightening end users about the precise processes and portals necessary to reset applications secured by two-factor authentication.

Here's how quishing typically works:

  1. Getting the QR code, along with Social Engineering Tactics: The QR code is accompanied by a message or context designed to deceive the recipient. This could be a seemingly legitimate request to access a specific website, claim a reward, or perform some other action.

  2. Scanning the QR Code: The user scans the QR code using a mobile device. QR codes are commonly used for quick access to websites, promotions, or other online content.

  3. Redirect to Malicious Site: The QR code, when scanned, redirects the user to a malicious website designed to mimic a legitimate one. This site is set up by attackers to collect sensitive information.

  4. Phishing Attack: Once on the fraudulent site, the user might be prompted to enter login credentials, personal information, or perform other actions that compromise their security.

  5. Data Harvesting: The attacker collects the information submitted by the user, using it for malicious purposes such as identity theft, unauthorized access, or other fraudulent activities.

Quishing is particularly effective because QR codes are commonly used for legitimate and convenient purposes, such as accessing websites, making payments, or joining networks. Users may be less suspicious when scanning QR codes, making them more susceptible to this type of attack.

Quishing comes disguised with sophisticated social engineering, driving the user to access websites and, most commonly, to install applications. this type of Business action-item phishing represents an insidious form of attack.  Quishing is often combined with certain phishing attacks, such as Password-reset phishing prompting users to scan a QR code to complete a password reset.

What we're seeing?

At Anubis' Mail Protection Service, and as soon as we released a new security module able to scan every QR code and follow its attack path, we've realized how sophisticated the whole process is (up to the malware detonation, or the webportal where the victim submits information ) - fraudulent app stores, or promotion redeem e-commerce portal truly mimic the real deal, and because it incentivizes the victim to use mobile devices, the threat is much more significative (the emails, the websites, are all over-simplified for small screens).

As for B2B threats,  the amount of Quishing happening is not significative but it is growing very fast, and it is very effective, especially when it triggers quick actions needed in mobile devices.


Visit Mailspike.io  And learn how to protect your email infrastructure