The Rise of Quishing Attacks: A New Challenge in Cybersecurity
September 12th, 2024 - Written By CyberLabs
These days, hackers are not a fixed group as they continue to adapt with the new technologies as well as with the increased use of computers in communication. Quishing is one of the newest threats in the field of cybersecurity. This attack vector is like the traditional phishing attack but uses QR codes to deceive the users and obtain their information. In this article, I will explain what quishing attacks are, how they are carried out and how you can avoid becoming a victim.
What is Quishing?
Quishing is a specific type of phishing attack where the cybercriminal utilizes QR codes as the primary means of delivering the attack. “Quishing” is a term that is derived from the words QR code and phishing. Phishing mostly entails using emails or links that are malicious in nature with the aim of eliciting the user’s personal details, login details or to download malware. In quishing attacks, cybercriminals use QR codes instead of links that can be clicked on.
For instance, when a victim uses the smartphone to scan the QR code, he or she is directed to another website that is malicious or asked to download a program, unknown to him or her, that contains malware. These attacks have been on the rise with the rise of the use of QR codes in payments, advertising, and other forms of communication after the pandemic.
How Quishing Attacks Work?
- Crafting the Attack: A phishing email, flyer, or social media post is created by the attacker and contains a QR code. The message could pretend to be from a genuine source such as a bank, a company or even a government department.
- Deploying the QR Code: The URL in the message is a QR code and it is linked to a virus. The victims are enticed to scan the QR code, and they are directed to a different site or service that is believed to be safe.
- Exploitation: After scanning, the QR code leads the user to another site that is controlled by the attacker. The site may look like a normal website and the user is duped into feeding the site with personal details or the site downloads malicious content into the victim’s computer.
- Data Harvesting or Malware Deployment: Once the attacker is through with the victim, he or she can get personal details like login information, financial information, or put a virus that can steal information or blackmail the owner of the system.
Why are these Quishing Attacks Growing?
- Increased QR Code Usage: QR codes received increased popularity during the COVID-19 outbreak when people started avoiding direct contact in payments, menus, and other services.
- User Trust in QR Codes: Most of the users are confident in QR codes since they are easy to use and are popular. This gives them a false sense of security making them easy prey for attackers.
- Difficulty in Verifying QR Code Links: In contrast with normal URLs, the user will not know the location to which the QR code is linked before they scan it, which makes it easier for the attackers to lure their targets.
Examples of Quishing Attacks in the Real World
Restaurant Menus: One of the common tricks that cybercriminals employ is to change the QR codes of restaurants’ menus with fake ones. After scanning the customers are taken to a number of fraudulent websites.
Fake Customer Support Scams: Cybercriminals leverage quishing in phishing emails or SMS and posing as the customer support of genuine organizations and urging the targets to use the QR code to confirm their account.
COVID-19 Vaccine Scams: QR codes were also incorporated in fake messages stating that they would give details or schedule for an available COVID-19 vaccine.
How to Protect Yourself from Quishing Attacks
Here are several measures which can help prevent quishing attack:
- Verify the Source: It is advisable to ignore and scan QR codes from untrustworthy sites. If so, try engaging in other means of verification besides the original source.
- Use a QR Scanner with Previews: A few QR code reader programs have the functionality to preview the URL before clicking it. This function can assist in identifying bad links to avoid getting hacked.
- Inspect Physical QR Codes: For instance, QR codes printed on bills, flyers, or menus should give caution when they seem to altered or different from their original position.
- Update Your Devices: Make sure that your devices and applications are as well up to date with the relevant application to reduce chances of getting ventilated by viruses.
- Enable Multi-Factor Authentication (MFA): Make sure that your accounts are secured with MFA assigning additional layers to these accounts specifying that gaining access to the accounts would require more than just social engineering credentials access.
- Education and Awareness: Like any other phishing attack education about the risks posed by Quishing can also be helpful in reducing the chances of being scammed.