During my two years as the CEO of a Public Company, Bloomberg became one of my go-to sources for financial news. I am still subscribed and today found an interesting story from Drake Bennett in New York.
He reported on a story in Bleeping computer—which we link to often—that revealed a QR code phishing attack discovered by Cofense, one of the players in our space. He wrote this opinion piece that clearly describes a new phishing problem that we have been warning about for a while:
"Along with Zoom and those little silicone thingies that allow you to attach hand sanitizer bottles to the zipper of your fanny pack, one of the technologies Covid has thrust into our lives is the QR code.
At this point, we’ve all gotten accustomed to using them to Venmo friends, tip people without making physical contact and log in remotely to our work stations. We’ve gotten used to — and then tired of — using them to order drinks and food at restaurants.
It makes sense, then, that hackers have started using them, too. According to the cybersecurity firm Cofense, an unnamed major US energy company was targeted with a phishing attack using QR codes attached to emails.
The phishing emails purported to be from Microsoft, telling receivers to scan the attached QR codes to review security requirements and update their accounts. In fact, scanning the codes landed targets on sites set up to steal their information. The codes allowed the phishing messages to elude email security filters that search for known malicious links.
They also, on some level, bypass our own human security filters. QR codes predate the pandemic, of course; they were on food packaging and bus stop ads. But they seemed like a bit of a gimmick, and most people didn’t have to rely on them in their everyday lives. I remember downloading a QR scanner app for my smartphone and using it maybe once.
A phishing email with a QR code sent in 2019, in other words, would have seemed strange and suspicious. Now they’re a Pavlovian cue, prompting us to reach unthinkingly for our phones.
I’m not a fan of QR codes. Part of it is that I resent having to look at and manipulate a screen to order nachos from a person standing right in front of me.
But another part is that it’s one more example of information being presented to me illegibly, in a way that I then must have a device interpret. It’s like living in a country where I don’t speak the language and where the only things that speak the language are computers. It now only confirms my worst suspicions that the messages the codes contain are sometimes malicious lies.
Apparently, QR codes were invented to label and track car parts. That seems like a really good idea. Let’s not use them for anything else" — Drake Bennett
Thanks Drake, we could not agree more ! However, bad actors don't. They use QR codes mode and more. Our platform allows you to send QR code phishing tests so that you can train your users against stealth attacks like this. There is even a free test you can run if you are not a KnowBe4 customer yet.
