Malicious Hackers Utilize QR Codes as Tools in Latest 'Quishing' Assaults
In a recent report titled, "Threat Spotlight: Split and nested QR codes fuel new generation of 'Quishing' attacks", published on August 20, security researchers at Barracuda Networks have shed light on two innovative QR code phishing techniques: QR code splitting and QR code nesting.
The QR code nesting technique, as detailed in the report, involves embedding a malicious QR code within a legitimate one. This deceptive practice can make it harder for scanners to detect the threat because the results are ambiguous. For instance, in an attack that began as a standard fake Microsoft 'password reset' scam, the Gabagool attackers used split QR codes. When the QR code is scanned, it directs the user to a phishing page designed to steal Microsoft login credentials.
On the other hand, the QR code splitting technique involves splitting a malicious QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code. However, when viewed in HTML, it comprises two different images.
To combat these emerging threats, Barracuda's AI-driven approach strengthens detection by visually scanning attachment images to identify embedded QR codes. It leverages machine learning to scrutinize QR code structures and pixel anomalies, even without extracting the embedded data. Furthermore, it decodes QR payloads and analyzes linked URLs or malicious content.
The report recommends a defense-in-depth approach to email security against these quishing attacks. Beyond foundational measures, it suggests adopting multi-layered email protection powered by multimodal AI.
Notably, the operators of the Phishing-as-a-Service (PhaaS) kits, Gabagool and Tycoon, have been found to be using these QR code phishing techniques. The operators of the Gabagool kit have recently started using the QR code splitting technique, while the Tycoon operators were found to be using the QR code nesting technique.
The report also highlights the operators' use of highly tailored messages, suggesting they'd previously implemented a successful conversation hijacking attack against the target. The threat groups behind these attacks, according to Barracuda Networks, are called "Scattered Spider" and "Demonic Spider."
In one instance observed by Barracuda, the outer QR code points to a malicious URL, while the inner QR code leads to Google. This technique can safely execute suspicious links in isolated sandbox environments to observe real-time malicious activity.
As the use of QR codes continues to grow, it's crucial for users and businesses to be vigilant against these novel phishing techniques. By staying informed and implementing robust security measures, we can help protect ourselves from these emerging threats.
