If you have the habit of indiscriminately scanning QR codes, you’d better be careful when you take your phone and scan a random QR code that you get in your email. Cybersecurity experts have cautioned people to exercise restraint while scanning these codes as hackers seem to have found a gold mine as it has become a habit for mobile users to scan QR codes for payments and to access information from known and unknown web sources. 

With cybersecurity solutions successfully filtering and catching malicious actors that try to sneak into computers via email boxes, cybercriminals seem to have invented a new method to dodge those solutions.

Cybersecurity experts at Trellix found that hackers are sending emails with a QR code and text in the form of an image. To trick gullible users into the scam, hackers would use subject headers such as – urgent action needed regarding multi-factor authentication.  

Attack campaign

The Trellix Advanced Research Centre recently noticed an attack campaign with an acute spike of phishing emails and another campaign that has been steadily going on since early 2022 with a slight variation in TTPs. “Both campaigns use QR codes as their primary mechanism to evade detection from email security products. Phishing emails in both campaigns were mostly devoid of text URLs, which makes most email security products ineffective because they rely on readable text and URLs for detection,” it said in a report.

“Use of QR codes for phishing is not new, but there is more to these campaigns. Analysis of these campaigns revealed that malicious actors not only used QR code as a primary means of defence, but also layered evasion tactics to make these campaigns hard to detect,” it said.

Trellix said it noticed a Microsoft Account phishing through QR codes since mid-May 2023, wherein the email body only had text and a QR code, both in image form.

Since most email security products act upon an email body containing only text and URL for detection, malicious actors overcome this hurdle by solely using images in the email body. As the subject of the email calls for urgent action and the text is in the image, users tend to open their mobile scanning apps to scan the QR code which will land them in trouble.

“The first variant of this campaign contained text and QR code images embedded directly within the email body, and the other variant we encountered had a PDF attachment containing a QR code,” it said.

“We found the campaign to be very widespread, targeting almost all sectors like fuel and energy, Finance, banking, telecommunications, IT, healthcare, transport and manufacturing.

The URLs can employ another layer of evasion by using a ‘Click Captcha’ window, making it difficult for detection engines to screen the mails for malicious content. 

“The captcha does not have to be a genuine one; it is only a means of evading automated analysis,” it said.

How to be safe

Trellix cautioned users to proceed with caution whenever you are prompted to scan for a QR code in public areas. “It’s always good to have some protection on the device from which you’re scanning QR codes,” it said.

“If scanning of QR code is absolutely required, then use online web services to scan for QR codes on sandboxed device when you’re not sure about the authenticity of source of QR codes.You need to be extremely wary of instances when you’re asked to provide your personal information or financial information or some other credentials on the webpage which has been directed by scanning QR codes,” it pointed out.

“Be cautious when QR code takes you to some unknown website or directs you to open an application. It would be wise to have some reputed QR code scanning app on your hand-held device which shows the resolved content and doesn’t directly redirect you to the website or anb app,” it said.