CyberWire Daily - Quishing for trouble. [Research Saturday]
Episode Date: December 21, 2024Adam Khan, VP of Security Operations at Barracuda, joins to discuss his team's work on "The evolving use of QR codes in phishing attacks." Cybercriminals are evolving phishing tactics by embedding QR ...codes, or “quishing,” into PDF documents attached to emails, tricking recipients into scanning them to access malicious websites that steal credentials. Barracuda researchers found over half a million such emails from June to September 2024, with most impersonating brands like Microsoft, DocuSign, and Adobe to exploit urgency and trust. To counter these attacks, businesses should deploy multilayered email security, use AI-powered detection tools, educate employees on QR code risks, and enable multifactor authentication to safeguard accounts. The research can be found here: Threat Spotlight: The evolving use of QR codes in phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. We don't see QR codes being attached or shared,
but it is becoming more prevalent in our day-to-day lives.
When we are going to even certain restaurants,
they don't even have a menu anymore.
They give you a QR code.
And when it
comes to emails, more and more companies are trying to use QR codes, but it's a fast way to engage.
That's Adam Khan, VP of Security Operations at Barracuda.
The research we're discussing today is titled, The Evolving Use of QR Codes in Phishing Attacks.
You know, as tactics are evolving when it comes to phishing, and our researchers are always digging
into how cyber criminals are advancing and utilizing new tactics and techniques.
And the data that proves over, as you saw in the article, over half a million emails that were analyzed, that had PDF documents, and even the emails themselves had QR codes included in them.
themselves had QR codes included in them, impersonating legitimate brands such as Microsoft,
including the tools within Microsoft such as SharePoint or OneDrive.
And even companies like DocuSign or Adobe are being utilized by these cyber criminals to execute QR phishing attacks.
So obviously, it's not very commonly known.
QR phishing attacks. So obviously, it's not very commonly known. And it was really,
the data kind of resonated overall how it's kind of growing over time.
Well, before we dig into some of the specifics from the report, you know, for folks who may not be familiar with this particular kind of phishing, it's often called quishing, QR code phishing.
I think most folks are familiar with what a QR code is at this point.
But how typically does a QR code get attached to a phishing attack?
So it's obviously not a normal thing, right?
We don't see QR codes being attached or shared,
but it is becoming more prevalent
in our day-to-day lives. When we are going to even certain restaurants, they don't even have
a menu anymore. They give you a QR code. And when it comes to emails, more and more companies are
trying to use QR codes, but it's a fast way to engage with users and get them to either buy their
products or learn about some of their services.
And as this is happening, cybercriminals are actually taking advantage of those tactics
and being able to utilize.
So yeah, it's kind of becoming more and more norm publicly, and now businesses are utilizing those as well.
Well, let's dig into the research here together.
You all took sort of an extended look at phishing emails that had QR codes embedded in them?
Yeah, that's correct. So we actually did the research from all the way from June to September's end.
And over, like I said, half a million emails that had PDF attachments and QR codes embedded in them.
And they're impersonating legitimate brands such as Microsoft.
legitimate brands such as Microsoft.
It's a public company that a lot of people are utilizing their products and services, especially in the business sector.
It becomes an easy tactic for attackers to engage
users into utilizing verbiage such as
urgency to take some
of those actions.
And the research found that Microsoft was about 51%
of the overall QR code attacks that we've been able to attribute to,
followed by 31% to DocuSign and 15% were attributed to Adobe.
And what do these typically look like?
I mean, are they impersonating login pages of these popular brands?
How does it shape up here?
Great question.
So the cyber criminals are tricking victims by sending them basically a one-pager document,
right, or embedding the QR code within the email itself.
They're asking users to verify their accounts or reactivate their MFA or review or document
via DocuSign or Adobe.
And the way it looks like you will have a message from the attacker, and this could
be a spoofed email that they could do. They could
utilize to generate this email, and they'll embed the QR code in the email itself or the attachment.
And the attachment basically has, hey, this is a message from your administrator or from Microsoft, the vendor itself, asking you to verify your credentials or reactivate your MFA.
And when the users are utilizing their phones, they're urged to use their phone's camera to scan the QR code,
which takes them to an actual malicious website where these attackers are able to get their login credentials or distribute malware
on the mobile device or take them to a fake payment portal site.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
You know, it's interesting when I think about the evolution of some of these attacks.
You know, we've said for years, you know, never click the links.
And I think we would give folks advice that, you know, We've said for years, never click the links.
And I think we would give folks advice that if there's a link in an email or something like that, hover over that link so you can see what the actual URL is beneath the text of the link.
But it seems to me that in some ways, QR codes kind of short circuit that kind of scrutiny.
Absolutely, yeah. It's bypassing the whole concept of embedding URLs inside
some sort of image. You actually have an image, which is
the QR code, which is taking you to another site. So it becomes very
tricky for users to
kind of being able to see, okay, this is a phishing email, or this is
something that's malicious and I shouldn't engage with it. So yeah, it's definitely a new tactic,
and it's very clever that these cyber criminals are utilizing.
Does using QR codes make it easier for these messages to bypass, say, spam filters?
To a certain extent, it does, right?
Spam filters are basically looking at certain content and certain URLs and certain domains.
But when you look at advanced email protection software,
and then that's actually utilizing AI to do image recognition.
When it sees images such as QR codes, it's able to block them before it reaches the user's
email.
So what are your recommendations then?
I mean, based on the information you all have gathered here, how should folks go about best
protecting themselves?
So I think there's a couple of things users need to look at, right? So one of the first things is
look at unexpected emails, like receiving an email with a QR code from an unfamiliar email
address, especially if it contains unsolicited attachment and link is the red flag, right?
unsolicited attachment and link is the red flag.
You're getting it from an untrusted source, let's say.
Getting it from a source that you're not familiar with is another one.
Promotion offers is another big thing. I know it's very tempting, some of these QR codes that are being sent,
and the offers seem to be too good to be true,
and they're often presented with a QR code to trap the user.
And there's, again, some suspicious messages that could be sent where they're asking you to take immediate action and payment.
I think these all kind of fall into the user awareness and training category.
to the user awareness and training category. So making sure the users understand what QR code phishing is,
what type of tactics are utilized,
and how to go about protecting against those is key.
So I would put that in one category.
The other thing is utilizing a multiler email security that leverages AI.
These tactics are so advanced. And like you mentioned, spam filters only are going after
certain domains and certain artifacts within the email. But when you have images and AI,
as we've seen, is really good at analyzing these images, being able to decipher between a legitimate one and a malicious one.
So having a multilayered security helps protect against these attacks before they reach the users themselves.
say, can't stress enough, there's so many organizations, Dave, that I deal with on an ongoing basis that still don't have MFA enabled across the entire infrastructure, right?
Protecting against not just QR code phishing, but against multiple attacks.
So those are the three big buckets, I would say. our thanks to adam khan from barracuda for joining us the research is titled the evolving
use of qr codes in phishing attacks we'll have a link in the show notes that's research saturday
brought to you by n2k cyber. We'd love to know what you think
of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.