Sophos describes a QR code phishing (quishing) campaign that targeted its own employees in an attempt to steal information. The attackers sent phishing emails that appeared to be related to employee benefits and retirement plans. The emails contained PDF attachments which, when opened, displayed a QR code. If an employee scanned the code, they would be taken to a phishing page that spoofed a Microsoft 365 login form. The page was designed to steal login credentials and multi-factor authentication codes. One of Sophos’s employees fell for the attack, showing that even cybersecurity companies are vulnerable to social engineering. Phishing links contained in QR codes are more likely to evade detection by security filters, and humans are less likely to notice that the URLs are suspicious. “We in the security industry generally teach people resilience to phishing by instructing them to carefully look at a URL before clicking it on their computer,” Sophos explains. “However, unlike a URL in plain text, QR codes don’t lend themselves to scrutiny in the same way. Also, most people use their phone’s camera to interpret the QR code, rather than a computer, and it can be challenging to carefully scrutinize the URL that momentarily gets shown in the phone’s camera app.” This is both because the URL may appear only for a few seconds before the app hides the URL from sight, and also because threat actors may use a variety of URL redirection techniques or services that conceal or obfuscate the final destination of the link presented in the camera app’s interface.” Sophos has observed an increasing number of quishing attempts over the past few months, and these attacks are growing more sophisticated. “Throughout the summer, samples have become more refined, with a greater emphasis on the graphic design and appearance of the content displayed within the PDF,” the researchers write.” Quishing documents now appear more polished than those we initially saw, with header and footer text customized to embed the name of the targeted individual (or at least, by the username for their email account) and/or the targeted organization where they work inside the PDF.” Blog post with links, and a free QR Code Phishing Security Test: https://blog.knowbe4.com/qr-code-phishing-is-growing-more-sophisticated |