Quishing is a form of phishing that involves the use of QR codes embedded with malicious links. When scanned, these QR codes redirect victims to fake websites designed to steal their credentials or other sensitive information.
Malicious QR codes are popular with attackers for several reasons. They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners. Further, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.
As security tools adapt to the threat of quishing, attackers have continued to innovate their approaches. Barracuda has reported previously on the evolution of QR code phishing attacks and the arrival of more sophisticated ASCII QR code attacks.
In this article, we explore the latest advances in QR code attack techniques, including split QR codes and nested (QR-in-QR) codes.
Split QR codes
The Gabagool phishing-as-a-service (PhaaS) kit recently started using a new technique to help malicious QR codes evade detection. The technique involves splitting the QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.
Barracuda threat analysts recently found Gabagool attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.