Barracuda threat analysts have uncovered two innovative techniques being used by cyber attackers to help malicious QR codes evade detection in phishing attacks. The techniques, detailed in a new threat report, involve splitting a malicious QR code into two to confuse traditional scanning systems or nesting the malicious QR code within or around a second, legitimate QR code.
Quishing is a form of phishing that involves the use of QR codes embedded with malicious links that, when scanned, redirect victims to fake websites designed to steal their credentials or other sensitive information.
The analysts found the split and nesting techniques in attacks by leading phishing-as-a-service (PhaaS) kits Tycoon and Gabagool.
Split QR codes
The Gabagool attackers were implementing split QR codes in a fake Microsoft ‘password reset’ scam. Their technique involves splitting the QR code into two separate images and embedding them close together in a phishing email. To the human eye, it looks like a single QR code. However, when traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code. If the recipient scans the image, they are directed to a phishing website designed to steal credentials.
Nested QR codes
The Tycoon PhaaS was found using the nesting technique to wrap a malicious QR code around a legitimate QR code. The toxic outer QR code pointed to a malicious URL, while the inner QR code led to Google. This technique is likely designed to make it harder for scanners to detect the threat because the results are ambiguous.
“Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners,” said Saravan Mohankumar, Manager, Threat Analysis team at Barracuda. “Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures. It’s an area where integrated, AI-powered protection can make a difference.”
Defending against evolving QR codes
Alongside the essential basics of security awareness training, multifactor authentication, and robust spam and email filters, organizations should consider multi-layered email protection that integrates multimodal AI capability to detect rapidly evolving threats. Multimodal AI enhances detection by identifying, decoding and inspecting the QR code without needing to extract the embedded content.
