Hackers are refining their ‘qishing’ techniques by hiding malicious QR codes in PDF documents attached to emails impersonating major organizations.
New research from Barracuda Networks highlighted the rapid evolution of qishing attacks – a social engineering technique that uses QR codes to redirect users to phishing pages – which has grown over the last three months.
Threat intelligence researchers at Barracuda detected more than half a million phishing emails with QR codes embedded in PDF documents between 20 June and 18 September 2024.
The report noted a shift from embedding the QR codes directly into the emails themselves versus hiding them in PDFs attached to the message.
Most of the attack samples analyzed by Barracuda involved impersonating reputable companies, such as Microsoft, which represented the majority of qishing attacks in this period.
Messages mimicking emails from Microsoft's Sharepoint and OneDrive services comprised over half (51%) of all attacks detected.
DocuSign was also a popular brand to impersonate, accounting for 31% of the phishing messages caught by Barracuda, followed by Adobe at 15%.
The report added that a smaller percentage of the phishing attacks it studied were tailored to the target, pretending to originate from the HR department of the victim’s organization.
Barracuda noted that certain industries such as finance, healthcare, and education, are increasingly being targeted with qishing attacks, owing to the large quantities of sensitive data they manage.
In addition, SMBs were highlighted in the report as particularly vulnerable to these attacks, since they lack the advanced security layers needed to pick up these more sophisticated phishing techniques.
New qishing tactic could spell trouble for SMBs
Barracuda noted that the shift in tactics from embedding the QR codes into the body of the email to hiding them in attached PDF documents makes it more difficult for traditional defenses to identify and block the threats.
The attack vector also involves the victim using multiple devices to scan the code, often their personal phone, which is likely not protected with the same level of security software as a corporate device, the report warned.
Kyle Blanker, manager of software engineering at Barracuda, warned businesses that their traditional email security systems could be ill-equipped to deal with these new attacks.
“Traditional email threat scanners can miss phishing content and malicious payloads if they are embedded within PDFs, which makes this an attractive tactic for attackers trying to evade detection. Between June and September our security technologies detected around half a million attempted attacks where weaponized QR codes were embedded in PDFs,” he explained.
RELATED WHITEPAPER
The time required to launch a phishing attack, as well as its cost, is relatively low compared to other attack vectors, Blanker added, arguing this is why threat actors are able to swiftly augment their tactics to get around cyber defenses.
“Phishing is a relatively low cost, easy to implement attack vector with potentially high rewards, so it is not surprising that attackers are continuously trying new approaches to overcome the latest advances in protection,” he said.
“For example, our security researchers have recently reported on a new generation of phishing QR codes built from text-based ASCII/Unicode characters, and using specially crafted URLs to create hard-to-detect phishing pages.”
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
