QR codes are being used to deliver phishing links. In a phishing campaign estimated to have launched in May 2023, threat actors utilize QR codes to redirect users to a harmful location.
This campaign targets someone’s Microsoft credentials and asks them to scan the QR code for multi-factor authentication or two-factor authentication. They also add urgency to their scam by saying this must be done in the next couple of days. This phishing campaign was discovered by Cofense, a US cybersecurity firm.
Over 1000 emails were sent, 29% sent to a major US Energy company and the rest distributed between companies in Manufacturing, Insurance, Technology, and Financial Services industries.
In the past, QR codes have not been as much of a threat. They have not been a popular method for phishing campaigns because a target typically scans a QR code with their phone, which can give a preview of the URL (on most modern devices). Scanning a QR code on someone’s phone also puts them outside of their company’s protection.
However, QR codes are a way for scammers to get their URL into an email while bypassing security procedures, like email spam filters. Security measures around emails include scanning email content and checking links included for malicious intent. At this time, scanning QR codes and checking links in a doc hosted on OneDrive, Google Drive, or Adobe Cloud, is more difficult. Cofense hypothesizes that this campaign is meant to test the viability of QR scams.
Threat actors also use redirects to get pass security scanning and to bury the harmful URL. Most links were redirected through Bing, though other sites included domains associated with Salesforce (krxd.com) and Cloudflare (cf-ips.com).
Threat actors can also get harmful QR codes into a user’s inbox by hiding them in other images, embedded in a PDF or PNG file, or attached like it is an image.
Since May, there has been an increase of over 2,400% in QR code phishing emails. It has not been a scam that was widely used but has seen a large increase in usage recently.
Be aware of the dangers and continue to be wary of any image attachments in emails.
Microsoft will not ask a user to scan a QR code as part of an authentication process. They will go through standardized methods of authentication, like number matching or inputting a six-digit code from an authenticator app.