QR codes (Quick Response) have been with us since the 90s, but it has been in recent years and especially since the pandemic that their use has become common. Their popularity, as expected, meant that they also became a form of scam used by cybercriminals through what is known as Quishing or QRishing, a variation of phishing that uses this communication format to trick victims. The cybersecurity firm Check Point has warned of the increase in quishing scams since last summer and explains How cybercriminals are managing to evade email providers' security solutions with a new type of QR codes.
The term quishing comes of the combination of QR and phishing. Phishing is a technique that seeks to trick victims into revealing personal information, such as passwords and banking details, posing as a trustworthy entity such as a bank, a well-known company or service, or an institutional body. They are the well-known cases of identity fraud whose campaigns regularly make headlines.
The first quishing attacks used malicious QR codes to request multi-factor authentication (MFA) from the victim with some excuse invented by cybercriminals. They receive an email requesting that they scan a QR code to verify their identity in a service or access certain information. These codes, when scanned, They direct her to a fraudulent website that collects her credentials.
As quishing techniques became more sophisticated, cybercriminals began using what Check Point calls conditional routing attacks. This method adjusts the link content based on the user's device. For example, a link might display a different page if accessed from an iPhone instead of a computer. In addition, cybercriminals began to personalize QR codes, incorporating company logos and user names to make the hoax more credible.
The latest evolution in quishing that Check Point warns about has been the creation of QR codes using ASCII and HTML characters instead of traditional images.
This method aims bypass Optical Character Recognition (OCR) systems, which many security solutions use to detect malicious QR codes. Attackers generate these QR codes in text format, with a look very similar to the traditional ones which makes it appear legitimate to users and go unnoticed by automated security systems. 'The presence of ASCII characters in the QR code can lead security systems to overlook the risk, mistakenly interpreting email as secure', Explain Check Point.
Thus, ASCII-based QR codes are particularly dangerous because they manage to avoid the OCR engines that should detect them, can be generated automatically and configured to include links to fraudulent sites or to download malware to the device. This trend is on the riseaccording to Harmony Mail researchers reported by Check Point.