Like a college a cappella group with hundreds of fliers to scatter around campus, fraudsters are placing malicious QR codes everywhere—now, reportedly, even in presentation software and parking meters.
The evasive tactic, which relies on the checkered image common to menus and boarding passes alike, targets users’ more personal and less protected devices.
“You’re highly unlikely to use your PC to access that website through the QR code. So, you will use your mobile device, which essentially allows for that attack to be moved from a PC, which is usually a lot more protected and has a lot more guardrails provided by an organization,” Olesia Klevchuk, director of product marketing at security vendor Barracuda, told IT Brew, adding that volumes of QR-style attacks are “still pretty small overall, but they are on the rise.”
QR here. Barracuda’s June 2024 threat report found that 1 in 20 inboxes faced QR-code attacks in the last quarter of 2023. According to Klevchuk, Barracuda detected 740 QR-code phishing instances in June, and 1,100 per day in August. (Barracuda sees around 1 million email attacks per day, Klevchuk said.)
Other recent vendor reports revealed some malicious-hacker QRiousity.
- Cybersecurity company Netskope spotted a 2,000-fold increase in phishing pages delivered through Microsoft Sway—a free presentation-sending application within Microsoft 365. (Similar traffic hovered just above 0 for much of 2024.) In most of the Sway cases, according to the July 2024 study, attackers instructed victims to use their mobile devices to scan a QR code leading to a malicious site.
- In previous reporting, IT Brew pointed to a report from cybersecurity company Reliaquest, citing a 51% increase in QR-code attacks in September 2023 compared to all of January–August that year.
- Abnormal Security, in its April 2024 report, found that 27% of—OK, fine, we’ll say it—“quishing” attacks involved fraudulent multi-factor notices; the second most popular strategy was fake shared-document notifications
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Code red. Like most phishers, the ones employing QR codes often seek convincing ways to steal login credentials to compromise accounts and potentially launch additional attacks.
“As people get comfortable scanning QR codes, they tend to trust them implicitly,” wrote Jan Michael Alcantara, threat research engineer at Netskope, in an email to IT Brew
Officials in Northampton, Massachusetts, released an advisory on August 30, warning of scammers targeting another piece of trusted city infrastructure: the parking meter.
Klevchuk sees similarities between QR attacks and an older tactic, often warned about back in the days when computers had USB drives and threat actors considered dropping malicious ones into parking lots, hoping that someone curious would place them into their machine.
Defenses against mystery flash drives apply to QR codes, at least ones on paper, according to Klevchuk: If you don’t expect it, don’t scan it.
“If you see a QR code stuck to the side of the wall, maybe you shouldn’t be just scanning it randomly and giving up your information to the website.”