Quick response (QR) codes are two-dimensional barcodes that can store data. They are made up of colored (though usually black) and white squares or pixels in a grid. A smartphone or other device camera can quickly process the information contained in a QR code’s specific arrangement of pixels. While QR codes were invented in 1994 by Masahiro Hara, chief engineer at Denso Wave to track vehicles and parts moving through an assembly line, today, they are widely used in marketing and advertising campaigns.
While QR codes have been in use for many years, they gained popularity during the days of COVID-19 restrictions when restaurants replaced paper menus with digital versions accessed by scanning a QR code displayed on a sticker on tables or a standing table card tent.
Today, advertisers will even display QR codes in television commercials to give viewers direct access to more information about the service or product that is being advertised. QR codes can be found pretty much everywhere, which unfortunately has made them a very useful tool for cybercriminals.
QR codes are actually links to webpages
Many people fail to realize that the QR code they are scanning with their device is a link to a webpage. The restaurant menu that is accessed via QR code is hosted on a web page. The video or other type of additional information advertisers promise will be on the other end of the QR code is hosted on a web page. And because any webpage can potentially contain malware or other malicious content, scanning a QR code can result in the same potentially devastating cyberattack that can be launched when clicking a link in a phishing email. The problem is that very few users recognize this danger.
An opportunity for cybercriminals
Malicious actors, in an attempt to capitalize on this attack vector, are creating fake QR codes that mimic legitimate ones. These codes can be delivered to potential victims in many ways, including in an email, on a sticker covering a legitimate QR code, or even in images such as memes or videos posted to social media sites. Once the user scans the code, it takes them to a counterfeit website that may download malware or ask them for sensitive information.
Quishing attacks are on the rise
This attack type is called quishing, and although QR codes have been around for some time, quishing attacks have increased significantly. The increase is due to most users not yet being aware of the danger QR codes pose, a natural curiosity to find out what is on the other side of the QR code, and the fact that many email security programs that are designed to scan URLs for potential dangers have historically not been equipped to scan for QR codes. Threat actors have leaned into this gap, embedding QR codes that point to fake sites designed to steal credentials or perform other malicious activities. Because QR codes have become commonplace for so many legitimate uses such as restaurant menus, sign-up forms, competitions, and scan-to-pay payments, recipients rarely view them as a threat.
Mimecast blocks quishing attacks
Mimecast is continually evolving the protection we provide to our customers. Given QR code attacks are very likely to continue, it is important to note that Mimecast already provides robust, layered protection against quishing attacks.
Mimecast Advanced Email Security conducts deep scanning of the URLs delivered via QR codes. When a potential QR code phishing attack is identified, Mimecast scans the URL associated with the QR code and makes a determination in line with your URL Protect policy and definition settings, rejecting or holding the message if it is found to be a threat.
This protection now extends across the two primary ways malicious QR codes are delivered:
- QR codes in the email message body. Mimecast performs deep scanning of QR code URLs to provide reliable, accurate decisions on potentially malicious QR code images embedded within the body of an email.
- QR codes in email attachments. Mimecast scans attachments for embedded QR codes as part of its advanced URL Protect feature. If a QR code is found within an attachment, Mimecast extracts and analyzes its content; if it contains an embedded URL, that URL is extracted and sent for further scanning and evaluation in accordance with your configured URL Protect policies. This capability is available for inbound, outbound, and internal email.
Mimecast also adds an anti-spam detection layer. By combining QR code scanning results from the email message body with thousands of other signals extracted from an email, Mimecast can recognize patterns that resemble a QR code-based phishing campaign and raise the message’s spam score accordingly. The higher the confidence in detecting a particular campaign, the higher the spam score, and based on that score, the email is placed on user or admin hold or rejected in line with the customer’s spam scanning policy.
Mimecast continues to roll out further detection capabilities to customers, ensuring that organizations remain protected against this modern and evolving attack vector.
Learn more
To learn more about how Mimecast can help your organization combat these new QR-code-based quishing attacks, request a demo today.
Â
Â
**This blog has been updated from a previous version.