“Quishing”, a very popular evolution of phishing, uses QR codes to deceive users and access their sensitive information. Increased vigilance is required to avoid falling into the trap.
Cybercrime continues to reinvent itself in the era of new technologies, and QR codes, or rather should we say QR codes, are the new target for attackers. “Quishing” is the term used to describe QR code-based phishing. These two-dimensional barcodes containing encoded data can effectively be used as lures to lead to phishing attacks. Let’s dig deeper.
Quishing, a tool that benefits hackers in many aspects
QR codes offer certain advantages to hackers. They are more difficult to detect, both by email filters and by end users. The use of QR codes in phishing campaigns is not new, but their notoriety has increased during the pandemic, as they allow contactless access to products and services.
What is phishing anyway?
Phishing is a social engineering technique commonly used by attackers to trick people into disclosing sensitive information or installing malware. Quishing, which uses QR codes, is a new variation of this threat.
Imagine a QR code released during the Super Bowl. If the company behind this ad had malicious intentions, they could have leveraged this code to automatically download ransomware onto viewers’ phones, putting a large number of devices at risk.
Why quishing attacks are problematic, and what you can do to combat them
QR codes are omnipresent in our daily lives, definitely popularized at the time of the recent health pass during the Covid period, from restaurants to public transport, including tourist places. They are still used more today in these same places, to show you a menu or scan your entry tickets. Consumers naturally trust these codes, and cybercriminals rely on this trust. Smartphones are also very vulnerable, because they do not benefit from the same anti-phishing protections as desktop computers.
Most quishing attacks start by sending a QR code via email. Victims are tricked into scanning the code and warned that their account will simply be blocked if they do not. Once scanned, the QR code can compromise the device.
What can we do to protect ourselves?
The best practice is not to scan QR codes from unknown sources. Before scanning one, always check the source. Never scan QR codes in emails, as legitimate companies do not use this method to verify accounts. Be wary of QR codes encountered in public, as they could conceal malicious intentions.
Pay particular attention to red flags, such as a sense of urgency, requests for personal information via a website, or awkward formatting in emails. These indicators can help you spot a quishing attempt. We will have to get used to it: quishing is a new threat against which it is good to be vigilant.
Source : Malwarebytes
6