By Chinenye Anuforo

Cybersecurity firm, Sophos, has issued a warning about a new phishing technique known as “quishing,” which leverages QR codes to bypass traditional security measures.

In a recent report, Sophos X-Ops researchers revealed that threat actors are increasingly using QR codes embedded in malicious PDF attachments to trick unsuspecting users into compromising their devices and credentials.

“This fraudulent QR code, embedded in a PDF document attached to an email, takes the form of a message about payroll, employee benefits, or other forms of official paperwork a business might send to an employee. Because QR codes are not readable by computers, the employee must scan the QR code using their mobile phone.”

Related News

The QR code links to a phishing page, which the employee may not recognize as malicious since phones usually are less protected than a computer. The goal of the attackers is to capture employees’ passwords and their multi-factor authentication (MFA) tokens in order to access a company’s system by bypassing the security measures in place.

“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” said Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document. »

In addition to social engineering tactics, the quality of emails, attachments and QR code graphics, these attacks seem to be growing in terms of organization as well. Indeed, some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes. In addition to features such as CAPTCHA bypasses or the generation of IP address proxies to bypass automated threat detection, these criminal organizations provide a sophisticated phishing platform that can capture the credentials or MFA tokens of targeted individuals.

To encourage organizations to better protect systems against this type of attack, Sophos X-Ops shares a list of recommendations: Be vigilant about internal emails about HR topics, salaries or company benefits, Install Sophos Intercept X for Mobile, Monitor risky sign-ins amongst others.