Phishers add QR codes to the menu

Taking a page from restaurants of the early-Covid era, hackers are trying out QR codes, frustrating IT pros by sneaking poisoned pixel squares past filters and into inboxes.

A report from the cybersecurity company Reliaquest discovered a 51% increase in QR-code attacks in September, compared to the cumulative number from January to August.

“This spike is at least partially attributable to the increasing prevalence of smartphones having built-in QR code scanners or free scanning apps; users are often scanning codes without even a thought about their legitimacy,” a Reliaquest threat researcher wrote on Nov. 9.

Early in November, Anthony Oren, CEO of the IT-support service Nero Consulting, had noticed a set of malicious emails sneaking past filters where the messages were images: Namely, QR codes. After going to his usual forums on Reddit and Spiceworks, Oren saw his peers had a similar problem with the 2D squares.

Admins have a difficult enough time blocking malicious emails and getting employees not to click through them. The QR code adds an extra layer of sneakiness for phishers and an extra challenge for IT professionals in charge of work email.

“We quickly realized there’s really no defense for it,” said Oren, unless a company wants to go with a likely impractical option of blocking all images.

The attack. The email is typically short, suggesting that more information is on the way after a QR click. (Telling the recipient to reactivate their MFA, for example.)

Once the phone scans the image, the end-user can be sent to an imitation proxy site, and any entered credential lands in the hackers’ hands.

QR quantity. Aaron Walton, threat-intel analyst at the cybersecurity vendor Expel, has seen an escalation in QR-code phishing, along with struggles to keep an eye on it.

“It’s a little bit more difficult to even triage, because you can’t see that a user visited a website, which they would have done through their workstation,” Walton told IT Brew. “But now they’re doing it on the personal device, or they’re doing it on a device that might not have any monitoring on,” said Walton.

What to do. Spam filters thwart phishy emails through characteristics like known language (“special discount!”) and headers, so QRs present a conundrum for IT: Blocking images altogether may frustrate employees trying to do their jobs.

Oren believes the technology strategy for thwarting a QR-code threat is a combination of server-strengthening practices:

• DomainKeys Identified Mail (DKIM), which adds digital signatures to outgoing messages
• Sender Policy Framework (SPF), which specifies authorized servers and domains
• Domain-Based Message Authentication, Reporting, and Conformance (DMARC), an email authentication method that offers action guidance for flagged messages

Google also recommends these standards for Gmail administrators.

Configuring strong email-server protocols, however, punts legitimate messages, said Oren, which may prevent IT teams from adopting the mechanisms.

A first line of defense for both Oren and Walton is a familiar, non-technical one: getting the word out to employees.

“We want to make sure that they’re aware of how to treat QR codes, and that they’re aware of how organizations communicate with them. So for example: Should they be expecting a benefits update having a QR code? Well, there might be reasons for that; there might not,” said Walton.