Blog: Social Engineering

QR Phishing. Fact or Fiction?

Tony Gee 15 Feb 2024

October 2023’s Cyber Security Awareness Month  led to a flurry of blog posts about a new attack called Quishing (QR Code phishing) and how new AI powered email gateways can potentially block these attacks.

What’s the attack?

To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly  phishing. Why is that?

Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them were caused by software vulnerabilities. This suggests that patching and secure development practices are working. However, the same report shows that the human element accounted for 74% of data breaches.

So, to get initial access your only realistic attack path is the end user, and this is where phishing comes in. In a lot of cases it’s the only way to interact directly with staff. Because of that email security software has improved, end point controls have increased in effectiveness, and attachment phishing is increasingly difficult due to heavy gateway interrogation.

This leaves URL links as the most successful way to get interaction. The problem is that staff are trained to examine links. Alongside that, automated tools analyse links before they reach the victim, and web security tools and browsers prevent dodgy websites from loading.

Mobile security

All this makes it harder to exploit a desktop end user, but in a mobile world its very different. Here is Microsoft’s Zero Trust model as an example:

Source: https://www.microsoft.com/en-gb/security/business/zero-trust

 

Now let’s compare that to a typical defensive stack of a mobile platform:

OK, so I have oversimplified this for effect, but if we can get a victim to open a link on their phone there is very little aside from URL filtering to protect them.

Attack path

The QR attack solves that URL filtering problem for the attacker. Although vendors have said they can prevent QR attacks, it’s not easy. How many emails have you seen with signatures that contain QR codes?

It is possible to detect if an image is a QR code, but the presence of a QR code does not mean it’s malicious. Many people use them legitimately in email signatures and in email communications So, there needs to be a mechanism to read the code and then analyse the link.

With that in mind the attacker simply needs to construct an email with some text and use base64 to embed the QR code. A base64 embedded image will load even when Outlook is configured to prevent automatic download of images, simply because it’s embedded and not being called/downloaded.

The embedded QR code will be shown and with a suitable lure, the email can direct the victim to move from the secure endpoint to a less secure mobile platform. The link is unlikely to have been scanned by URL filters due to it not being a link at the time of scanning.

The attacker can use a URL shortening service to further obscure it, making it hard for the victim to verify the link in the tiny box that is presented when scanned.

So what?

You might be thinking “good luck getting an exploit onto a phone” and “but the exploit will only attack the mobile platform”.

These are common misconceptions about mobile devices. The explosion of M365 usage means that now credentials can be as valuable as a shell. Consider your VPN solution, many have moved to using M365 authentication to protect this.

If an attacker can get credentials or even session information using an Attacker in The Middle (AiTM) attack your VPN is now accessible. The attacker can connect directly to your internal network with credentials phished from a mobile device.

AiTM attacks typically use a proxied authentication process allowing the adversary to collect valid authenticated credentials and session tokens, all of which can be captured trivially from a mobile device without touching the desktop endpoint with all of its controls.

How much of a threat is Quishing?

In December 2023 Microsoft shared a graphic showing how many QR code phishing emails they blocked weekly:

Source: https://techcommunity.microsoft.com/t5/icrosoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041

 

If this is to be believed it suggests they block nearly a billion unique QR phishing attacks a year, which does seem a lot.

It’s hard to get current statistics from Microsoft, but in the Microsoft Digital Defence Report for 2022 they stated they blocked 70 billion threats. In the more recent 2023 report they don’t use the same statistics, however, they state they block 4,000 identity attacks per second. Whichever way you analyse it, 18 million QR code phishing emails a week does feel a little high, perhaps they mean they have detected 18 million emails with QR codes.

One organisation suggested that in the first few weeks of October 2023 22% of all phishing emails were QR code attacks. Another suggest they blocked 3000 emails in one day, which doesn’t sound very much at all when considering its estimated that 3.4 billion phishing emails are sent a day.

It’s unclear if this continues to be the case, or if its risen or fallen. However, to date our DFIR teams have not been asked to investigate this type of attack. Our Red Teams do occasionally consider using it depending on the organisational control environment, however, it is not routinely used. The NCSC have issued some recent well tempered advice.

What is clear is that this is a growing threat which needs attention, with more and more threat actors building this in to their phish kits.

How do I stop it?

There are vendors who say they can prevent QR code phishing, but in reality most are finding it challenging. Microsoft say they can detect QR images and are able to analyse the embedded URL.

Most other vendors are simply highlighting the threat, although like Microsoft they say that they analyse email intelligence e.g. who the sender is, how often they send, is there an existing relationship, which is commonly used in all emails to build a SPAM score. Some vendors suggest they use AI to detect them alongside with standard email intelligence.

Conclusion

In short, the technical controls environment is currently weak. This leaves us with end user awareness and training as the key control. Training staff to be hyper vigilant when viewing QR codes is key, recent press has highlighted individual cases of personal exploitation. These do help raise awareness, but more needs to be done.

However, in our experience, this does seem to be less of a threat than cyber security suppliers would have you think back in October and therefore when prioritising risk remediation consider a lower likelihood, than perhaps traditional URL phishing.