Elevating Cybersecurity: Ultima’s Enhanced Partnership with Fortinet
13/09/2023Microsoft Monthly Newsletter: September 2023
15/09/2023QR codes have revolutionised the way we engage with technology, streamlining a lot of processes that were once thought to be a faff. Whether it be paying for parking, connecting to WiFi networks, sharing contact information or visiting a website, those little squares of data can convenience our daily lives. However, as is often the case, this technology isn’t without its flaws. The very characteristics that make QR codes efficient and convenient also make them easy to exploit, with quishing (QR phishing) becoming an increasingly popular attack vector.
What is QR Phishing?
Traditional phishing is the act of utilising email technologies and social engineering techniques to steal sensitive information from a target, by posing as a trusted entity. Whether it purports to be a friend, employer or popular service provider, phishing attacks rely on misplaced trust and to be effective. QR phishing simply uses the same methodologies, but instead uses QR codes over email. Scanning a malicious QR code can have the same effect as interacting with a carefully crafted phishing email, such as providing sensitive information to an attacker on a spoofed login page under their control.
Why is QR Phishing so effective?
Circumventing Traditional Protections
Traditional phishing often relies on actively targeting potential victims, relying on email and website technologies that are often fortified by robust security tools and protocols. Email filters, firewalls, scanning tools and SSL certificates are just some of the measures that stand between a phishing attack and the user.
QR phishing can easily bypass many of these measures. When you scan a QR code, you’re essentially creating a direct line between you and the destination, avoiding many security checks in the process. This is made even more difficult by the fact that a visible URL is mostly absent when QR codes are in use, even when used legitimately. This makes discerning genuine websites and applications from spoofed, fake platforms more difficult.
The User’s Own Device
Traditional phishing requires that a target interacts with an email link on their device, a practice that most people these days are aware of and know to avoid. QR codes, however, require people to use their smartphone, which in modern times has become a device that many people trust implicitly.
Quishing vs SMShing
While QR phishing leverages QR code technology, SMS phishing utilises text messages to achieve the same nefarious goal. Both methods share similarities that make them considerably more dangerous than phishing.
– Direct Contact: Both QR codes and SMS messages create a sense of urgency and direct action due to the readiness and availability of the content. Emails can be lengthy and a laborious task to verify, but QR codes and SMS prompt swift action from users due to the simplicity of the technology.
– Trust: Text messages are incorrectly viewed as more secure and personal, leading to lowered defences. In the wild, QR codes are often used for convenience and there’s little awareness about how this can be exploited, which as a result leads to the same lowered defences.
– Circumventing Protections: Just like SMShing, Quishing avoids many traditional online security protections by utilising a different communication channel.
Reliance on Protections
It’s easy to assume that firewalls, antivirus and other security tools provide foolproof protection, which causes many people to place their full trust in technology to weed out the bad. The rise of Quishing and SMShing demonstrates the need to educate and raise awareness, so that the last barrier in our defence is ourselves. The scope of cyberattacks is forever widening, with security tools always playing catch-up with new methods of attack, so personal vigilance and continual education remain the strongest line of defence against the various methods of phishing.
QR phishing showcases the dark potential of convenient technology. The absence of traditional protections and the trust we place in our own devices make it an easy platform for attackers to exploit. As the world continues to integrate technology into everyday life, it’s important to remain vigilant. Keep your wits about you, double-check before scanning QR codes, and never assume that the protections you put trust in are always going to keep you safe.