A big phishing marketing campaign using QR codes has not too long ago come to mild, with a significant US-based vitality firm as one of many main targets.
The marketing campaign, which started in Could 2023, has witnessed a 2400% surge in quantity since then, underscoring the urgency of addressing this rising menace.
Cybersecurity firm Cofense has been intently monitoring this marketing campaign. In an advisory printed on Wednesday, the corporate stated that over 29% of the malicious emails, numbering greater than 1000, had been directed on the vitality sector large. Different industries additionally fell sufferer, with manufacturing, insurance coverage, know-how and monetary companies firms accounting for a mixed 37% of the assaults.
The attackers’ modus operandi entails sending emails masquerading as Microsoft safety notifications. These emails include PNG or PDF attachments, attractive customers to scan QR codes purportedly for enhanced safety measures.
Whereas QR codes have historically been seen as a restricted assault vector because of person interplay necessities, the malicious actors have ingeniously utilized them to bypass safety measures and improve the chance of profitable phishing makes an attempt.
“This can be a worrying marketing campaign that demonstrates how criminals are testing using QR codes to make phishing scams seem extra practical,” stated My1Login CEO, Mike Newman.
“When individuals obtain these emails, they’re extra prone to fall for them as a result of QR codes received’t include the standard indicators, corresponding to spelling and language errors, that an e mail might be suspicious. It’s additionally a novel assault vector that customers are unlikely to concentrate on.”
The truth is, the QR codes embedded within the emails redirect customers to seemingly respectable domains, corresponding to Bing and Salesforce, which have been weaponized to hold out the assaults.
Learn extra on QR code safety: QR Codes: A Rising Vulnerability to Cybercrimes
Cofense really useful a multi-faceted strategy to fight this new wave of assaults. Using QR code scanners and picture recognition know-how can function an preliminary line of protection, however person training stays paramount.
“Not all safety controls can establish malicious QR codes. Not all organizations are even conscious this can be a way that the malicious actors can leverage to breach their safety portfolio,” defined Avishai Avivi, CISO at SafeBreach. “Evading safety controls can symbolize a major threat to organizations that assume their safety controls are enough.”
Encouraging workers to not scan QR codes from unsolicited emails can subsequently play a pivotal function in safeguarding company and particular person safety. As this marketing campaign showcases the evolving ways of cyber-criminals, swift adaptation and sturdy defenses are essential to thwart future assaults.
