Researchers have observed an attacker using a technique they hadn’t previously seen to attempt to sneak phishing emails past enterprise security filters.
Abnormal Security, which reported the campaign this week, says between Sept. 15 and Oct. 13 it detected and blocked some 200 emails that contained a QR code — instead of the usual malicious attachment or URL link — to try and drive users to a phishing website.
The emails contained a message that described the QR code as offering access to a missed voicemail and appeared designed to bypass enterprise email gateway scans that are typically only geared to detect malicious attachments and links.
All of the QR code images that Abnormal detected were created the same day they were sent. This made it unlikely that the QR codes, even if they had been detected, would have been previously reported and included in any security blacklist, the security vendor said in its findings.
“The use of QR codes in phishing emails is quite rare,” says Crane Hassold, director of threat intelligence at Abnormal Security. Threat actors in the past have used images that appeared to be QR codes but were, in fact, hyperlinks to a phishing site. Some phishing operators have also used QR codes in physical locations to try and drive users to a malicious website.
“But this is the first time we’ve seen an actor embed a functional QR code into an email,” Hassold says.
The Better Business Bureau (BBB) in July warned of a recent uptick in complaints from consumers about scams involving the use of QR codes. Because the codes cannot be read by the human eye, attackers are increasingly using them to disguise malicious links, the BBB said.
Attackers are distributing malicious QR codes via direct messages on social media, text messages, physical mail, paper flyers, and email, it noted. Users who scan the codes using their mobile phones are directed to phishing websites that are designed to harvest personal information and login credentials, automatically follow a malicious social media account, or launch a payment app.
“In addition, Bitcoin addresses are often sent via QR codes, which makes QR codes a common element in cryptocurrency scams,” BBB warned.
A survey that MobileIron
conducted of more than 4,400 people last year found 84% have used a QR code before. Some 25% of respondents said they had run into situations where a QR code, when scanned, did something they did not expect, including taking them to a malicious website. Slightly more than 37% said they would be able to spot a malicious QR code, while almost 70% said they’d be able to spot a URL to a phishing or other malicious website.
In the phishing campaign Abnormal detected, the attackers used previously compromised Outlook email accounts belonging to legitimate organizations to send the emails with malicious QR codes. When scanned, the codes led users to phishing pages designed to collect Microsoft credentials that were hosted on a legitimate enterprise survey service and connected to IP addresses on Google and Amazon domains. Based on available data, the campaign seems broad in scope and not targeted at specific organizations or individuals.
Hassold says that while the use of QR codes might have allowed the adversary to sneak their email past enterprise security filters, it remains unclear how the attackers expected the recipients to act once they received the email. Unlike malicious links and attachments, QR codes cannot be clicked on or opened. So for the attack to work, a user would first need to open the email on their computer and then scan the QR code with their mobile device. If they received the email on their mobile device, they would need to open it on a desktop system and then scan the QR code with their smartphone or another mobile device.
“While these campaigns have been effective at bypassing traditional email gateways, the practical aspects of getting a target to scan a QR code with a separate device seem to create a barrier that would result in a relatively low success rate,” Hassold says. “These campaigns are great examples, however, to show how cybercriminals are constantly evolving their tactics and trying new things to make their attacks more successful.”