Check Point experts have identified a new variant of quishing (phishing with QR codes). A link embedded in the QR code leads to a resource that captures the user's digital fingerprint.Based on the results of verification, it works out a particular redirect.
According to analysts, in August – September 2023, the number of quishing attacks on email channels increased by 587%. Information security vendors had to urgently develop special protection for email; in response, the attackers adjusted the attack scheme.
Previously, it was quite simple: when scanning the QR code sent in the email, it was redirected to a phishing page. Now there are several such redirects, and the final destination depends on the user's device (Android or, for example, macOS computer) that clicked on the start link.
The attack, as before, begins with a fake message, the final goal of the attackers has also not changed: theft of credentials, sometimes with the installation of malware. Malicious QR code is most often inserted in the email body, although it can also be present in a PDF attachment.
The link embedded in the QR code is linked to a resource that performs blind redirects to another domain to automatically check the interacting device for specified parameters (OS, browser, screen size, etc.).
Based on the results of the check, the page load can redirect the user to a phishing page (for example, a fake login to the Microsoft service) or enable a resource-intensive program as a measure against attempts at deobfuscation and reverse engineering.
For two weeks in January, experts counted about 20 thousand such quishing attacks. The usual email protection can't detect them, because it only checks the first link. In this case, several layers of obfuscation are used, and only complex solutions that work at different levels can detect the threat.
"Phishing attacks using QR codes are gaining momentum all over the world, "comments Dmitry Ovchinnikov, Chief Specialist of the Integrated SPI department of Gazinformservis. - The use of AI allows scammers to design such malicious actions quite quickly and with low labor costs. If we are talking about an attack on corporate users, then the UEBA class of information security tools has become the answer to such threats"
According to analysts, in August – September 2023, the number of quishing attacks on email channels increased by 587%. Information security vendors had to urgently develop special protection for email; in response, the attackers adjusted the attack scheme.
Previously, it was quite simple: when scanning the QR code sent in the email, it was redirected to a phishing page. Now there are several such redirects, and the final destination depends on the user's device (Android or, for example, macOS computer) that clicked on the start link.
The attack, as before, begins with a fake message, the final goal of the attackers has also not changed: theft of credentials, sometimes with the installation of malware. Malicious QR code is most often inserted in the email body, although it can also be present in a PDF attachment.
The link embedded in the QR code is linked to a resource that performs blind redirects to another domain to automatically check the interacting device for specified parameters (OS, browser, screen size, etc.).
Based on the results of the check, the page load can redirect the user to a phishing page (for example, a fake login to the Microsoft service) or enable a resource-intensive program as a measure against attempts at deobfuscation and reverse engineering.
For two weeks in January, experts counted about 20 thousand such quishing attacks. The usual email protection can't detect them, because it only checks the first link. In this case, several layers of obfuscation are used, and only complex solutions that work at different levels can detect the threat.
"Phishing attacks using QR codes are gaining momentum all over the world, "comments Dmitry Ovchinnikov, Chief Specialist of the Integrated SPI department of Gazinformservis. - The use of AI allows scammers to design such malicious actions quite quickly and with low labor costs. If we are talking about an attack on corporate users, then the UEBA class of information security tools has become the answer to such threats"
