“Quishing” Attacks Exploit Mobile Scanning Ubiquity and Human Trust

Cybercriminals are increasingly using sophisticated QR code phishing attacks, known as “quishing,” to steal sensitive information from unsuspecting victims. These attacks have evolved to bypass traditional security measures, exploiting the widespread use of mobile scanning and human trust in everyday digital interactions.

One such technique, developed by the Gabagool phishing-as-a-service (PhaaS) platform, involves dividing malicious QR codes into two separate images embedded within phishing emails. When traditional email security solutions scan these messages, they identify two distinct and seemingly benign images rather than recognizing the complete QR code threat. This fragmentation approach allows the malicious payload to remain hidden from conventional detection mechanisms.

Recently, Barracuda threat analysts discovered Gabagool attackers implementing this split QR code technique in a Microsoft password reset scam. The attackers utilized highly tailored messages, suggesting they had previously executed successful conversation hijacking attacks against their targets. The phishing emails appeared to be legitimate, with the attackers using the victims’ names and company logos to create a sense of trust. The malicious QR code, however, was hidden in plain sight, waiting to be scanned by unsuspecting victims.

Another evasion technique, deployed by the Tycoon 2FA PhaaS platform, involves nested QR codes, where malicious codes are embedded within or around legitimate QR codes. This method creates detection ambiguity by presenting scanners with conflicting results, the outer QR code points to a malicious URL, while the inner code leads to legitimate destinations like Google. The overlapping structure complicates automated analysis and can fool both security systems and users.

For instance, a recent attack involved a legitimate QR code pointing to a Google login page, but with a malicious nested code that directed users to a phishing site. The attackers exploited the fact that many security systems rely on machine learning algorithms to detect phishing attacks, which can be fooled by the nested QR code technique.

These evolving attack vectors highlight the limitations of traditional security measures and the necessity for multilayered protection strategies. Organizations must implement comprehensive defenses, including:

Security awareness training: Educating employees on the risks associated with QR codes and the importance of verifying the authenticity of QR code links.

Multifactor authentication: Requiring users to provide additional forms of verification, such as passwords or biometric data, to access sensitive information.

Robust spam filters: Implementing advanced spam filters that can detect and block phishing emails, including those containing QR codes.

Multimodal AI capabilities: Deploying AI-powered solutions that can render attachment images to visually locate QR codes, decode their content, analyze destination URLs, and execute suspicious links in sandbox environments.

By implementing these measures, organizations can significantly reduce the risk of falling victim to quishing attacks. However, the most effective approach involves staying one step ahead of attackers by continuously monitoring and updating security solutions to counter evolving threats.

As attackers continue innovating their quishing techniques, security solutions must evolve correspondingly to protect against these sophisticated social engineering attacks that exploit both technological vulnerabilities and human trust in everyday digital interactions.