Quishing: Rising threat in email security

While they’ve been in use for years, QR codes have been rising in popularity since the pandemic began in 2020. We use QR codes to buy products, make reservations, scan a restaurant menu, process financial transactions, and more. They make things simple, convenient, and most importantly, touch-free. But little did we know that this could be a potential entry point for scams.

Threat actors are always looking for novel methods to exploit vulnerabilities and new ways to target people as email providers and security solutions get smarter at spotting threats and preventing them from reaching users. One such method that seems innocuous and gets past the defenses of security systems is the QR code. Scammers have caught hold of this method and are using this as a possible entry point into organizations' emails. In this article, we'll take a deep dive into the rising threat known as quishing. But to understand this, we first need to understand QR codes and how they’re used.

What are QR codes?

QR codes, short for quick response codes, are two-dimensional squares that store data. They’re similar to barcodes, except that barcodes have only one strip of information, limiting the amount of data that can be stored in them. QR codes can comparatively store a larger volume of data. The codes are scanned using a mobile camera or, in some cases, applications that can read QR codes. Once scanned, they redirect to a specific URL, download an application, or authenticate a login.

When are QR codes used?

QR codes were invented by the Japanese in 1994. However, they've become prevalent only over the past decade. The pandemic necessitated the need for touch-free methods to complete transactions, validations, and other forms of authentication. Some of the most common scenarios where QR codes come into play include:

• Performing financial transactions
• Viewing restaurant menus
• Authenticating login requests (in MFA-enabled accounts)
• Redirection to brochures or collaterals
• Prompt an application download

QR codes are also used to redirect to websites or links where the user needs to complete specific actions. These could be customer surveys, business cards, public transport schedules, and so much more. However, these codes are being misused by threat actors to extract information or money from unassuming users. Let's take a look at how this happens.

What is quishing?

Quishing, or QR code phishing, is a kind of phishing attack where threat actors attempt to retrieve sensitive information or nudge users to download malware. Threat actors disseminate QR codes in emails, instant messages, and even in public places that display them. These attacks take place in the same way most phishing attacks do. The attacker nudges the user to scan the QR code, which leads to a malicious website. Once redirected, sensitive information such as account credentials and payment information is extracted. Sometimes, it can even lead to a malware download.

Common characteristics of quishing emails

While quishing emails sometimes tend to get through the security offered in email providers, there are certain characteristics that are easy to spot.

• Target: Threat actors aim to extract the credentials of user accounts to advance their attacks. They tend to target members of the C-suite because these accounts have the highest and most sensitive levels of access throughout the organization.

• Positioning: Some emails might have QR codes embedded as an image in the email. However, because email security solutions are detecting QR codes, threat actors are including the QR code image as part of attachments in the email, making detection difficult.

• Content: As is common with most phishing attacks, quishing emails also aim to create a sense of panic and urgency among recipients. This is done to ensure that recipients don't have enough time to verify the authenticity of the sender or the link they're redirected to before divulging sensitive information.

Sequence of a quishing attack

Every quishing attack takes place in four stages. It begins with the hackers crafting a well thought out email that creates a sense of trust with the recipient.

1. Email sent by hacker: The hacker sends a quishing email that intends to trick  recipients into opening it by creating a sense of panic. Recipients rush into opening the email without the required verification under the notion that something is at stake.

2. Recipient scans the QR code: The content of these emails is mostly convincing enough to make the recipient believe that either the QR code shared is innocuous or that the user has to scan the code to avoid some serious consequence. So the user goes ahead to scan the code with their mobile device.
   
   At this stage, most users would've moved from their organization-protected laptop to their personal mobile devices. These devices lack the security controls that their laptops would have, and they proceed without any further security warnings.

3. Recipient enters requested information: The scanned QR code takes the user to a malicious website. The website could try to extract data in various ways. The user could be asked to enter their credentials to an email account, bank account, or some other account containing sensitive information. Alternatively, the QR code might even download an application or a file containing malware.

4. Hackers steal information: Any information revealed by users will be shared with the hacker, who will now take control of the account and use it to carry out the intended activities. In case there was an application download, it could be a spyware or virus that aims to silently capture the activities performed by the user or corrupt their existing data.

Intent of quishing attacks

Threat actors are aiming to find novel ways to get past organizational defenses, and quishing attacks have more than quadrupled. Though the intention of most attacks is to cause disruption, the kind of information hackers are phishing for varies. Let's take a look at some of the most common intentions with which hackers create quishing campaigns.

Malware injection

Many hackers aim to nudge email recipients to download applications or documents containing malware. Because the QR codes are usually scanned using mobile devices, sufficient security protocols aren’t in place in the device to detect or abort the download of the application. These applications either spy on the activities that take place in the device or corrupt the data and deny access to users. This may be the worst outcome of a quishing attack because the attack occurs even if the user hasn't divulged any information.

Email credential harvesting

Account credentials are of high value to hackers because they contain an abundance of sensitive information that reveals an organization's weakness. Additionally, emails contain important contracts and project information. This is a goldmine for hackers because it gives them the ammunition to blackmail account owners with the available information and further take over the account.

Phishing for sensitive information

Apart from stolen email credentials, another great source of information for hackers comes in the form of stealing financial data. This turns out to be lucrative, and because most quishing attempts are aimed at extracting money in the end, this tends to be most commonly sought after. Other data, such as credit card numbers, social security numbers, and bank account statements, could also be stolen. These play a vital role in helping hackers impersonate someone.

Examples of real-world quishing attacks

With the recent rise in quishing attacks, it helps to understand what some of the common quishing attacks are and how they’re structured. Let's discuss a few quishing attacks that have impacted real organizations.

Microsoft authentication

Many organizations using Microsoft as their email provider have been receiving emails from threat actors impersonating Microsoft.

The email creates a sense of urgency right from the subject line, which nudges users to open the email. The email content states that multi-factor authentication (MFA) has been mandated for their organization's Microsoft account and that the QR code needs to be scanned to complete the MFA setup. The QR code redirects to an emulated Microsoft login page where the user enters their Microsoft credentials. The webpage is designed such that these credentials are shared with the hacker and they use them to take control of the account.

Document share notification

The popularity of several document sharing platforms such as SharePoint, OneDrive, and DocuSign have led to a rise in this type of quishing attack. Threat actors send an email that notifies recipients that a document has been shared with them. These emails are crafted such that the email template looks exactly like an email from the file sharing platform would look. Mostly, these emails impersonate someone within the same organization. The recipients proceed to scan the QR code without questioning the legitimacy of the email. In the redirected URL, the hacker takes the intended action.

Package delivery interruption

Emails impersonating package delivery agencies such as FedEx, DHL, and UPS are becoming increasingly common. They pose a concern or a disruption in the delivery of the product, and fearing that the product wouldn't get delivered, the intended recipient scans the QR code to check the status. In the redirected URL, users are nudged to enter email credentials, update payment information, or an address. These details are stolen by the threat actor to carry out phishing attacks in other forms.

Crypto wallet quishing

Popular cryptocurrency wallets have fallen prey to quishing attacks as well. Emails that pose to be from crypto wallets such as Coinbase or Binance reach out to unsuspecting users under the guise of their crypto accounts being in danger of deletion due to pending updates. The QR code in the emails redirects the user to a phishing URL, where the recipient supplies sensitive information such as their wallet credentials or payment details. The hacker uses this information to take control of the account and misuse it for their gain.

Precautions to avoid falling prey to quishing attacks

Threat actors are continuing to find more evasive ways to get around the security set up by organizations. Therefore, an organization's employees hold the responsibility of educating themselves to identify these emails and take relevant action. Here are some simple steps you can follow to detect quishing attacks.

Verify the source and sender

If you receive an email with a QR code, check whether the display name of the email sender matches with the email address. Additionally, check whether the email address has any spelling errors in the domain name. This might mean that the sender is trying to impersonate a common or well-known brand. Make sure that email has passed the common validations such as SPF, DKIM, and DMARC.

Verify the destination

While scanning most QR codes, smartphone cameras reveal the URL that the QR leads to before leading the user to the destination. In the preview, check if the URL is one that the email claims it to be. After the required validation, proceed to open the URL. In case the preview link arouses suspicion, avoid opening the link because it could lead to downloading a malicious file or application.

Avoid disclosing sensitive information

If you happen to scan the QR code and land on a website, verify the URL of the website to determine the authenticity of the website. If the URL doesn't match with the intended website, proceed with caution. Think twice before entering any sensitive or personally identifiable information (PII) such as account credentials, mobile number, or home address.

Avoid app downloads from the QR code

If the QR code leads you to download an app, verify the source and authenticity of the app developer. Check if the same application is available in your mobile's app download store and download the relevant app there. If the app has been shared in a separate file, there is a high chance of the app being infected with malware or spyware.

Perform financial transactions with caution

Most threat actors aim to extract money from people. This is easiest if the hacker impersonates a popular banking partner and requests that a transaction be completed. Revealing your bank account details or credit card number in such cases could prove disastrous because hackers can take control of your bank account within minutes, and it becomes a huge hassle to recover it. Always confirm with the bank if the email arouses any suspicion.

Mandate MFA

Even if the hackers gain access to your organization's account credentials, granting them entry into your organization can be prevented by mandating MFA. This adds an additional layer of security to your accounts and prevents any unauthorized access.

Conduct security awareness trainings

Conduct awareness trainings for your employees and educate them about the possible threats. Teach them to follow secure practices with these emails and nudge them to report any such anomalous emails to your organization's security team. Following such reports, security needs to be customized and tightened accordingly.

How can cloud email security solutions help?

In addition to taking these precautions, given the novel ways threat actors are finding to gain information, it becomes prudent to have an email security solution in place. These solutions tackle the problem at various levels. Some of them include identifying spoofed domains, alerting users about suspicious emails from unknown senders, and checking the authenticity of QR code's destination URLs. Having a cloud-based email security solution in place to detect such emails can help with better security to a great extent.

eProtect is one such cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.