In other words, cybercriminals are always looking to design their phishing websites to look authentic. That way when an unsuspecting victim clicks on a phishing link their quick to hand over their login username and passwords. Afterall, it looks just like the usual Microsoft login page.
To legitimatise themselves, cybercriminals send emails from accounts used by real people at real companies to add an aura of legitimacy to their emails, to gain trust for the campaigns they run. However, it’s not evident exactly how the attackers gained controls of the accounts in the first place for use in their campaigns.
Firstly, the victim is asked via phishing email to scan a QR code to listen to a voice recording claiming to come from the email sender who they trust.
In an earlier campaign the tricksters used a malicious URL by hiding it behind an audio file, in that previous version of the campaign. But in that instance the malicious attack was detected by antivirus security software and fizzled out. So, this led the attackers to switch to QR codes to infiltrate email defences. Because using the QR codes method can more easily bypass email protections.
Secondly, the victim needs to follow a few more clicks and steps before they inadvertently give away their login credentials.
To initiate the user needs to scan the QR code. So, if they’re opening the email on a mobile, they’ll struggle to do this without a second phone.
But if the victims don’t suspect anything is amiss, they can simply following the instructions and quickly and easily, give away their credentials.
Rachelle Chouinard, threat intelligence analyst at Abnormal Security says, “the use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs.”
Rachelle goes on to say that “it’s only by understanding that the account is compromised — combined with an understanding of the intent of the email — that this new (and fairly innovative) attack type can be detected.”
As a result, email users should be wary of scanning QR codes presented in messages and double check they are genuine. Most importantly, even if they are coming from a known contact, to stay safe from quishing emails.