Attackers are using new tactics in QR code phishing (quishing) attacks, according to researchers at Palo Alto Networks’ Unit 42.
Quishing attacks hide phishing URLs within QR codes, allowing them to more easily evade security filters and trick the user into opening the link on their phone.
“One tactic involves attackers concealing the final phishing destination using legitimate websites' redirection mechanisms,” Unit 42 says. “Another tactic involves attackers adopting Cloudflare Turnstile for user verification, enabling them to evade security crawlers and convincingly redirect targets to a login page. We found that some of these phishing sites are specifically targeting the credentials of particular victims, suggesting pre-attack reconnaissance.”
URL redirection makes the attack harder to detect when used with a QR code, since users will only be able to see a portion of the link preview when they scan the code.
“By using URL redirection, attackers can surreptitiously redirect users to malicious websites while masking the true destination of the phishing link,” the researchers explain. “This method of URL redirection for phishing has been prevalent for years. Therefore, many people are taught to carefully examine the full URL to avoid clicking on phishing links.
However, when the URL is accessed via a QR code, people can only view the domain name through their smart device’s camera application, making suspicious URLs more likely to appear legitimate.”
The use of Cloudflare Turnstile helps the phishing campaigns avoid detection by security firms. Turnstile is a legitimate service that verifies that a user is a human. Attackers are abusing the service to block security crawlers from flagging their phishing infrastructure.
“These evolving tactics challenge both security detection mechanisms and user awareness,” Unit 42 concludes. “Attackers’ increasing use of QR codes in phishing highlights the need for improved security awareness training and technical solutions that can detect and block these threats.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Unit 42 has the story.
Here's how it works:
