QR codes help attackers sneak e-mails past security controls

Researchers have observed an attacker using a technique they hadn’t previously seen to attempt to sneak phishing emails past enterprise security filters.

Abnormal Security, which reported the campaign this week, says between Sept. 15 and Oct. 13 it detected and blocked some 200 emails that contained a QR code — instead of the usual malicious attachment or URL link — to try and drive users to a phishing website.

The emails contained a message that described the QR code as offering access to a missed voicemail and appeared designed to bypass enterprise email gateway scans that are typically only geared to detect malicious attachments and links.

All of the QR code images that Abnormal detected were created the same day they were sent. This made it unlikely that the QR codes, even if they had been detected, would have been previously reported and included in any security blacklist, the security vendor said in its findings.

The use of QR codes in phishing emails is quite rare,” says Crane Hassold, director of threat intelligence at Abnormal Security. Threat actors in the past have used images that appeared to be QR codes but were, in fact, hyperlinks to a phishing site. Some phishing operators have also used QR codes in physical locations to try and drive users to a malicious website.

“But this is the first time we’ve seen an actor embed a functional QR code into an email,” Hassold says.

The Better Business Bureau (BBB) in July warned of a recent uptick in complaints from consumers about scams involving the use of QR codes. Because the codes cannot be read by the human eye, attackers are increasingly using them to disguise malicious links, the BBB said.

To read the complete article, visit Dark Reading.