Hackers are stepping up ‘qishing’ attacks by hiding malicious QR codes in PDF email attachments

Hackers are refining their ‘qishing’ techniques by hiding malicious QR codes in PDF documents attached to emails impersonating major organizations.

New research from Barracuda Networks highlighted the rapid evolution of qishing attacks – a social engineering technique that uses QR codes to redirect users to phishing pages – which has grown over the last three months.

Threat intelligence researchers at Barracuda detected more than half a million phishing emails with QR codes embedded in PDF documents between 20 June and 18 September 2024.

The report noted a shift from embedding the QR codes directly into the emails themselves versus hiding them in PDFs attached to the message.

Most of the attack samples analyzed by Barracuda involved impersonating reputable companies, such as Microsoft, which represented the majority of qishing attacks in this period.

Messages mimicking emails from Microsoft's Sharepoint and OneDrive services comprised over half (51%) of all attacks detected.

DocuSign was also a popular brand to impersonate, accounting for 31% of the phishing messages caught by Barracuda, followed by Adobe at 15%.

The report added that a smaller percentage of the phishing attacks it studied were tailored to the target, pretending to originate from the HR department of the victim’s organization.

Barracuda noted that certain industries such as finance, healthcare, and education, are increasingly being targeted with qishing attacks, owing to the large quantities of sensitive data they manage.

In addition, SMBs were highlighted in the report as particularly vulnerable to these attacks, since they lack the advanced security layers needed to pick up these more sophisticated phishing techniques.

New qishing tactic could spell trouble for SMBs

Barracuda noted that the shift in tactics from embedding the QR codes into the body of the email to hiding them in attached PDF documents makes it more difficult for traditional defenses to identify and block the threats.

The attack vector also involves the victim using multiple devices to scan the code, often their personal phone, which is likely not protected with the same level of security software as a corporate device, the report warned.

Kyle Blanker, manager of software engineering at Barracuda, warned businesses that their traditional email security systems could be ill-equipped to deal with these new attacks.

“Traditional email threat scanners can miss phishing content and malicious payloads if they are embedded within PDFs, which makes this an attractive tactic for attackers trying to evade detection. Between June and September our security technologies detected around half a million attempted attacks where weaponized QR codes were embedded in PDFs,” he explained.

The time required to launch a phishing attack, as well as its cost, is relatively low compared to other attack vectors, Blanker added, arguing this is why threat actors are able to swiftly augment their tactics to get around cyber defenses.

“Phishing is a relatively low cost, easy to implement attack vector with potentially high rewards, so it is not surprising that attackers are continuously trying new approaches to overcome the latest advances in protection,” he said.

“For example, our security researchers have recently reported on a new generation of phishing QR codes built from text-based ASCII/Unicode characters, and using specially crafted URLs to create hard-to-detect phishing pages.”