Hackers are refining their ‘qishing’ techniques by hiding malicious QR codes in PDF documents attached to emails impersonating major organizations.
New research from Barracuda Networks highlighted the rapid evolution of qishing attacks – a social engineering technique that uses QR codes to redirect users to phishing pages – which has grown over the last three months.
Threat intelligence researchers at Barracuda detected more than half a million phishing emails with QR codes embedded in PDF documents between 20 June and 18 September 2024.
The report noted a shift from embedding the QR codes directly into the emails themselves versus hiding them in PDFs attached to the message.
Most of the attack samples analyzed by Barracuda involved impersonating reputable companies, such as Microsoft, which represented the majority of qishing attacks in this period.
Messages mimicking emails from Microsoft's Sharepoint and OneDrive services comprised over half (51%) of all attacks detected.
DocuSign was also a popular brand to impersonate, accounting for 31% of the phishing messages caught by Barracuda, followed by Adobe at 15%.
The report added that a smaller percentage of the phishing attacks it studied were tailored to the target, pretending to originate from the HR department of the victim’s organization.
Barracuda noted that certain industries such as finance, healthcare, and education, are increasingly being targeted with qishing attacks, owing to the large quantities of sensitive data they manage.
In addition, SMBs were highlighted in the report as particularly vulnerable to these attacks, since they lack the advanced security layers needed to pick up these more sophisticated phishing techniques.
New qishing tactic could spell trouble for SMBs
Barracuda noted that the shift in tactics from embedding the QR codes into the body of the email to hiding them in attached PDF documents makes it more difficult for traditional defenses to identify and block the threats.
The attack vector also involves the victim using multiple devices to scan the code, often their personal phone, which is likely not protected with the same level of security software as a corporate device, the report warned.
Kyle Blanker, manager of software engineering at Barracuda, warned businesses that their traditional email security systems could be ill-equipped to deal with these new attacks.
“Traditional email threat scanners can miss phishing content and malicious payloads if they are embedded within PDFs, which makes this an attractive tactic for attackers trying to evade detection. Between June and September our security technologies detected around half a million attempted attacks where weaponized QR codes were embedded in PDFs,” he explained.
RELATED WHITEPAPER
The time required to launch a phishing attack, as well as its cost, is relatively low compared to other attack vectors, Blanker added, arguing this is why threat actors are able to swiftly augment their tactics to get around cyber defenses.
“Phishing is a relatively low cost, easy to implement attack vector with potentially high rewards, so it is not surprising that attackers are continuously trying new approaches to overcome the latest advances in protection,” he said.
“For example, our security researchers have recently reported on a new generation of phishing QR codes built from text-based ASCII/Unicode characters, and using specially crafted URLs to create hard-to-detect phishing pages.”
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Google is dropping SMS authentication for QR codesNews Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
Threat actors are leaning on trusted services more than everNews Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
