Researchers at Abnormal Security have identified a new phishing campaign that used QR codes to trick victims into giving away their credentials instead of the usual malicious attachment or link. The threat actor used compromised email accounts within the organization to share the phishing email and used a lure of a missed voicemail. All the QR code images were created the same day they were sent, which makes it likely that they had not been reported as malicious previously. Abnormal Security stated that when scanned, the codes led users to phishing pages hosted on Google and Amazon domains. It is unclear how well the threat actor anticipated the emails to work. Due to the fact that QR codes need to be scanned manually, it is a longer process for the victim as opposed to simply clicking a link. According to the Better Business Bureau, a survey conducted on 4,400 Americans showed that just over 37% would be able to identify when a QR code is malicious.
Analyst Notes
As with any phishing campaign, organizations should train employees to spot malicious emails. As the threat landscape changes, so should the defensive measures that are put in place. This includes new training for employees that teaches them how to spot malicious QR codes, as well as other phishing emails. It is important for organizations to keep track of accounts that may have been compromised previously and ensure those email addresses are being secured, including changing the password. The Binary Defense Counterintelligence Service helps monitor for third party breaches as well as email lists on the Darknet and can alert an organization to these lists. This allows the organization to force password resets on these email accounts, which helps prevent threat actors from using a compromised email to carry out attacks within an organization.
https://www.dar kreading.com/attacks-breaches/qr-codes-help-attackers-sneak-emails-past-security-controls
https://abnormalsecurity.com/blog/qr-code-campaign-bypass-security
