Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.
The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.
There are several reasons why cybercriminals might want to use QR codes:
- The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
- Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
- QR codes are impossible for humans to identify as malicious at first glance.
- Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
- The use of QR codes in other applications like banking apps, may invoke a certain level of trust.
Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.
Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.
The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:
“To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.
{QR code}
Should you have any questions, Please do not hesitate to contact the HR department.”
The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:
“Step-by-step guide
1. Open your camera app:
Launch the camera app on your smartphone
2. Point at the QR code:
Align your camera lens with the QR code, ensuring it is fully visible within the frame.
3. Wait for recognition:
Your phone will automatically detect the QR code and display a notification or link on the screen.
4. Access the content:
Tap on the notification or link to open the information associated with the QR code.”
The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.
So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.
Malwarebytes customers were protected against this phishing site.
What can you do to avoid QR code phishing?
Keep your device up to date
Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.
You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.
Scan a QR code with the same security mindset as clicking a link
If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.
Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.
Use anti-malware protection on your devices
Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
