A notable U.S. energy entity found itself at the forefront of a sophisticated phishing scheme that utilized QR codes to deliver malevolent emails, successfully evading security measures.

Of the approximate 1,000 emails linked to this strategy, about 29% were directed at this significant energy entity. The rest targeted sectors like manufacturing (15%), insurance (9%), technology (7%), and financial services (6%).

Cofense, the organization that identified this strategy, noted it was the inaugural instance of such extensive use of QR codes in phishing. This trend suggests that malicious entities might be evaluating the potential of QR codes as a means of intrusion.

While the specific energy organization in question wasn’t disclosed by Cofense, it was identified as a key player within the U.S. energy landscape.

The Mechanics of the QR Code Tactic

The attack initiation is subtle: potential victims receive an email alleging the need for a Microsoft 365 account settings update. These emails are accompanied by attachments, either in PNG or PDF format, displaying a QR code. Victims are urged to scan these to confirm their accounts, with a stipulated timeframe of 2-3 days adding pressure.

The ingenious use of QR codes embedded within image formats allows these malicious communications to sidestep email security tools specifically looking for recognized malevolent links. This strategy ensures a higher chance of the email reaching the intended recipient.

In a bid to further bypass security, the QR codes employed in this attack leverage redirects via platforms like Bing, Salesforce, and Cloudflare’s Web3 services. These then guide the victims towards a deceptive Microsoft 365 login page.

The use of QR codes to camouflage redirection URLs, misusing legitimate platforms, and employing base64 encoding for the deceptive links all contribute to slipping past email security barriers.

QR Codes: A History in Phishing

While the use of QR codes in phishing isn’t entirely novel, previous endeavors have typically been more localized, with smaller campaigns noted in countries like France and Germany. Unscrupulous entities have historically taken advantage of QR codes, convincing unsuspecting individuals to scan them. These scans often lead to malevolent websites with intentions ranging from misinformation to monetary theft.

In early 2022, a cautionary advisory from the FBI shed light on the rising trend of cyber culprits exploiting QR codes to illicitly gather personal and financial information.

Yet, the QR codes’ efficacy is intrinsically linked to human interaction, necessitating the target to scan the code. This human element can act as a safeguard, especially if the individuals are well-informed. Additionally, modern-day smartphones often prompt users to authenticate the destination URL prior to web browser activation, serving as a security checkpoint.

Beyond awareness campaigns, Cofense also advocates for the incorporation of image recognition utilities as part of anti-phishing protocols. However, it’s vital to understand that such tools might not provide a foolproof defense against all QR code-based threats.