Cyber security firm Sophos has flagged a new attack vector called ‘quishing’ (QR code phishing).
Sophos explains that this attack uses fraudulent QR codes embedded in PDF attachments sent via e-mail.These PDFs masquerading as legitimate documents like payroll, employee benefits or other forms of official paperwork a business might send to an employee. They bypass corporate e-mail filterssince QR codes are not directly readable by computers and employees are tricked into scanning the QR code with their mobile phone.
Sophos advises organisations to raise awareness among employees about this tactic and implement comprehensive mobile security strategies.
Andrew Brandt, principal researcher at Sophos X-Ops, says, “Our research has revealed that attacks that exploit this specific threat vector are intensifying both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document.”
In addition to social engineering tactics, the quality of e-mails, attachments and QR code graphics, these attacks seem to be better organised as well, says Brandt.
“Some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes,” he adds.
According to Brandt, in any given collection of reported spam in the company’s repository that has a PDF attachment, between 2%-10% contain a quishing QR code.
“The impact is serious. The nature of the quishing threat is magnified by the way it redirects the password entry to happen on a mobile device. Most mobile devices are less well protected than laptops or desktops and may not even benefit from being behind a corporate firewall that could block malicious outbound connections because they have their own network.”
Phones become a sort of shadow ITwhich makes it hard for enterprises to protect them, he says.
“So far, we have not seen quishing targeting private individual e-mail addresses. Attacks have all been targeted at employee addresses at organisations. The goal here is to obtain access to the enterprise network using the stolen credentials (password + MFA token data) immediately. There doesn’t appear to be any more discernible victimology than that. The targeted organisations represent a wide variety of business types and verticals. The one thing the targets have in common is that they all use an organisation’s e-mail address, and the attackers have done at least minimal background research on the organisation, because not all employees are being targeted,” explains Brandt.
The advice from Sophos is that employees should not advertise their exact role within a company on platforms like LinkedIn, which have been used in the past by criminals to identify specific people in particular roles at targeted organisations.
Share