Malicious Hackers Utilize QR Codes in Novel 'Quishing' Cyber Assaults

Security researchers at Barracuda Networks have discovered two novel phishing techniques involving QR codes, adding a new dimension to the ever-evolving world of cyber threats. The report detailing these findings was published on August 20, titled "Threat Spotlight: Split and nested QR codes fuel new generation of 'Quishing' attacks".

The first technique, known as QR code splitting, involves splitting a malicious QR code into two parts and embedding them into a phishing email. Operators of phishing-as-a-service (PhaaS) kits like Gabagool and Tycoon have been observed using this method in their attacks. In a recent instance, the Gabagool operators used this technique in attacks that began as standard fake Microsoft 'password reset' scams.

The second technique, known as QR code nesting, involves embedding a malicious QR code into a legitimate one. The Tycoon operators have been found to use QR code nesting in their attacks. This method can make it harder for scanners to detect the threat because the results are ambiguous.

These techniques leverage machine learning to scrutinize QR code structures and pixel anomalies, even without extracting the embedded data. They decode QR payloads and analyse linked URLs or malicious content. The AI-driven approach strengthens detection by visually scanning attachment images for embedded QR codes.

When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code. This makes it more challenging for these solutions to identify and block the malicious QR codes.

To combat these sophisticated phishing techniques, Barracuda recommends a defense-in-depth approach to email security. Beyond foundational measures, they suggest adopting multi-layered email protection powered by multimodal AI. This approach can help in detecting and blocking such advanced threats more effectively.

The discovery of these new phishing techniques using QR codes was publicly discussed around mid-2024, with detailed coverage published by Heise in 2024. As cyber threats continue to evolve, it is crucial for organisations and individuals to stay vigilant and adopt robust security measures to protect against these advanced attacks.