Welcome to our July 2023 catches of the month feature, in which we explore the latest phishing scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at the increase in a new form of phishing that uses QR codes, plus we discuss the staggering findings of PhishLabs’ latest report.
Quishing on the rise
Cyber security researchers have discovered an extensive phishing campaign that uses QR codes as bait.
QR code fraud, also known as ‘quishing’, works much like any other form of phishing, with criminal hackers masquerading as a legitimate source and attempting to trick people into handing over sensitive information or downloading malware.
Whereas traditional attacks feature poisoned attachments or bogus links, quishing uses QR codes that direct victims to their fraudulent website.
The attack vector is relatively new, even though QR codes have been in popular use since the advent of smartphones. However, the technology has become far more common in the past year or so, and you will often find QR codes as the default option for a variety of activities.
This includes things such as links to adverts, commercial tracking, augmented reality systems and anything else that might otherwise require an individual to access a specific webpage or resource.
Because QR codes obscure the destination of the link – uses simply scan the barcode to reach the source – it creates prime opportunities for scammers.
Patrick Schläpfer, a malware analyst at HP, told TechTarget that his team has observed sustained quishing activity over the course of several months.
The researchers have been tracking a particular QR code phishing campaign since they first discovered a series of suspicious emails with similar Word documents attached.
They soon learned that each document contained Chinese text and a QR code. The message appeared to come from the Chinese Ministry of Finance, and told recipients they were eligible to receive a new government-funded subsidy.
According to the document, uses could receive this payment by scanning the QR code, which would link to an application form that asked them to submit their personal and financial information.
However, this is just one form of QR code attack. The researchers also discovered a campaign that appeared to come from a parcel delivery service, requesting payment via a QR code. Meanwhile, others have spotted similar attacks that also use the technology.
Why quishing is so successful
There are several reasons for this surge in QR code scams . In addition to their ability to mask the destination address, they also exploit vulnerabilities in the way we access content.
QR codes force people to interact with the link via their phone, rather than navigating to the resource on a computer or tablet. As Schläpfer explains, phones generally have weaker (or non-existent) anti-malware protections, which makes it easier for cyber criminals to plant fraudulent baits.
Moreover, as the researchers were investigating these attacks, they learned that scammers were often distributing mobile malware designed to steal corporate login credentials as they were typed into people’s phones.
Schläpfer believes the attacks his team identified are not one-off campaigns. “It’s very likely that QR phishing is happening at a wider scale using a variety of methods,” he said.
Phishing attacks reach all-time high
There were more phishing emails in the first quarter of 2023 than in any other period in history, according to a new report.
Fortra’s PhishLabs team found that 23.6% of emails were classified as malicious or ‘do not engage’. This includes phishing scams, which comprise 98.7% of malicious emails, as well as spam and other unsolicited and potential harmful correspondence.
By contrast, for the fourth quarter in a row, the number of emails that were classified as posing no threat decreased. They now represent just over three quarters of all emails.
As it delves into malicious and unsolicited emails further, PhishLabs breaks down its categorisation of phishing into specific categories. It found that the majority (58.2%) are designed to capture users’ login credentials.
Of those, malicious links were far more common than bogus attachments – with the former accounting for about two thirds of the total.
Meanwhile, the researchers learned that 40% of malicious phishing links were associated with Microsoft Office scams, making it by far the most common pretext for phishing.
The increase in login credential theft was offset by a decrease in response-based scam emails, which PhishLabs estimated accounts for 40.5% of all malicious emails.
Response-based scams are those that use more sophisticated social engineering techniques to trick recipients into handing over sensitive information. Rather than simply include a link to a malicious site or attachment within the email, the attacker creates a pretext requesting that the recipient takes a specific action.
For instance, the most popular form of response-based scam was hybrid vishing. The scammers create a typical phishing email with a pretext, but instead of asking them to follow a link, the message contains a phone number that they’re asked to call.
These attacks help cyber criminals to bypass email security systems, because their message doesn’t contain malware or an untrustworthy website that a security mechanism might pick up.
Plus, once they get victims on the phone, their attacks are more likely to be successful. It’s easier to pressure people into action over the phone compared to email, because the scammer is communicating directly and can create a sense of urgency and legitimacy.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
There is a new email scam that I would like to forward. It appears to come from a known sender with the same last name and offers to share photos; however, the sender’s email address isn’t from the known sender, it originates from a .edu domain. The email has an embedded link.
example:
Subject: Fw: Two pictures from XXX XXX
Body: On Thursday, July 06, 2023 12:50 PM, XXX XXX wrote:
Any thoughts?
I have had several from different senders, the same spoofed family member’s name in the past week. Similar body text. All in the past week.
Another family member reported one that appeared to come from me.