QR Codes Increasingly Used in Phishing Attacks
From accessing a menu at a restaurant to paying for parking or boarding a flight — QR codes are everywhere.
Unfortunately, threat actors have found ways to exploit QR codes, often embedding them in phishing emails. Coalition Incident Response (CIR), an affiliate of Coalition, Inc., has seen a recent increase in cyber insurance claims involving QR codes.
Like any other technology, QR codes aren’t inherently risky, but users should consider a few things before scanning one.
How do QR codes work, and how can they be exploited?
Users scan QR codes with their smartphone cameras to decipher the information stored in a QR code’s black and white squares. As easy as they are to use, QR codes are also easy to create. Websites are available to generate free QR codes that redirect users to visit a website, download a PDF, connect to WiFi, and more.
Cybercriminals are increasingly pairing QR codes with phishing emails that redirect users to a malicious link to harvest their credentials or deploy malware. Because QR codes are scanned using smartphones, they bypass security controls like endpoint detection and response (EDR). QR codes also bypass URL scanning performed by email providers.
Using QR codes with phishing emails to increase plausibility
Most users are familiar with poorly written phishing emails that trick them into taking urgent action. Threat actors have adapted and are sending emails that look authentic while still applying pressure on the reader to act quickly. CIR has observed threat actors who impersonate HR or payroll departments and email QR codes to employees that allegedly link to benefits or payment documents.
Most often, phishing attacks that use QR codes lead to funds transfer fraud (FTF) events in which threat actors gain access to an email inbox and redirect payments into accounts they control. However, phishing with QR codes can sometimes provide threat actors with elevated access to a company’s network, allowing them to disrupt business operations.
Case study: QR code phishing leads to attempted ransom
An employee at a healthcare provider seemingly received an email from HR with a QR code to access their health benefits information.* The employee scanned the QR code with their personal phone and logged into the website.
Both the email and the QR code were malicious. The threat actor now had the login information for the healthcare provider’s global administrator, a user with elevated access and permissions within the network. The threat actor logged into the admin’s account and took control of the company’s Azure instance, changing passwords and deleting accounts to prevent employees from logging in and removing them. Once they had complete control of the company infrastructure, the threat actor attempted to ransom the company for $20,000.
The healthcare provider selected CIR via our incident response firm panel to help recover the email tenant, remove the threat actor, and perform an investigation. Ultimately, the policyholder did not pay a ransom, but they did have to work directly with Microsoft to regain control of their Azure instance.
In totality, the business remained offline for roughly a week. CIR could only complete a forensic investigation to confirm the threat actor was no longer present after the business regained access to its Azure instance. It's uncommon for any business experiencing a business email compromise (BEC) incident to remain offline and locked out of their account for an extended period.
The claim for this incident is still ongoing, and Coalition continues to work with the policyholder to determine all financial losses. Thus far, the breach counsel and CIR's costs will be covered by their Breach Response coverage.
What do users need to look out for?
Before users scan any QR code, they should pause to evaluate its legitimacy:
Exert caution with QR codes sent over text or email. Successful phishing attacks rely on users taking immediate action. Users should always verify the legitimacy of emails and text messages that require them to log in.
Avoid entering credentials on mobile devices. Computers are often protected with security controls, like EDR or multi-factor authentication (MFA). Users should avoid entering company credentials on their personal smartphones. Credentials are usually only required once to log into mobile applications, making these requests even more suspicious.
If a QR code opens a link, examine the URL. Both Android and iOS will display a portion of the URL that QR codes open. Users should closely examine the URL for any inconsistencies that may point to a phishing attack. For example, if users receive a QR code from HR but the URL redirects through another website (Bing, Facebook, etc.), that indicates the QR code may be malicious.
Companies can take additional preventive measures by training their users to look out for phishing emails and fraudulent QR codes. The goal is for employees to ask themselves, "Why would HR need to send me this?" and report the suspicious email.
Businesses looking to enhance their security posture can sign up for around-the-clock monitoring with Coalition Security Services Managed Detection and Response (MDR) provided by CIR. CIR regularly deploys endpoint detection tools during cases to monitor networks during the restoration process. MDR is designed as a preventative and restorative security solution that can help protect businesses from persistent cyber threats.
Learn more about MDR from Coalition Security Services.