As campaigns using QR codes grow in size and complexity it is important to track not just the QR codes themselves, but also the context of the emails delivering the QR codes.
Others use images embedded in the email or QR codes rendered from external sources.
The more recent QR code campaigns utilize a wide range of email themes rather than the earlier campaigns that primarily used multi-factor authentication as a lure for victims.
Key Points The most common characteristics associated with the credential phishing chains from URLs embedded in QR codes were, in order of popularity, captcha, multi-factor authentication, and URLs that had an open redirect to a credential phishing page.
The most common sources for QR codes were, in order of popularity, embedded in the email, attached PDF, attached HTM, and attached DOC. The subjects of QR code bearing emails were more likely to be MFA themed, contain a date, and contain personally identifiable information that was redacted, than regular credential phishing emails.
The types of domains of URLs embedded in QR codes were, in order of popularity, malicious or compromised, legitimate, QR code related, and a standard link shortener service.
Of note is that while campaigns with captcha were the most popular for both QR Code based reports and all credential phishing reports, the MFA tag was the least popular among all credential phishing reports but a close second among QR Code reports.
This reinforces MFA as a primary theme for QR codes as expected the fact that only 29% of QR code reports had the multi-factor authentication tag indicates that in fact, QR code emails may be more diverse than they would first appear.
The large portion of QR code emails that utilize a captcha code at some point in their delivery chain is an indicator that even when automated systems start scanning QR codes and following links they will still likely be stymied before recording the entire chain.
Reports with the open redirect tag showed up in only 13% of QR code based emails.
Threat actors abuse a little-known Google API to generate a QR code that is referenced as an external image in the email or HTML attachment.
The more commonly adopted responses to automated scanning of embedded QR code images is to use an attached file with a QR code embedded in it.
MFA themes making up 29% of QR code emails makes sense as that matches up with the data from the tagged reports.
As mentioned earlier, this indicates that QR code emails are more varied than they would first appear, but it also indicates that threat actors may believe employees are likely to see QR codes in correspondences not related to MFA setups.
Seeing more personally identifiable content requiring redaction in subjects also makes sense as QR code emails are more likely to be delivering information that appears to be specifically relevant to the recipient's company.
QR code emails with subjects with dates in them have themes ranging from MFA to salary reports to overdue documents.
Figure 4: Contents of subjects of QR code bearing emails versus all credential phishing emails.
One of the most interesting, and information rich, aspects of QR codes are the URLs that are embedded in the QR codes.
An important characteristic of a URL embedded in a QR code is its purpose.
Legitimate domains used for redirection make up the second largest portion of domains seen in QR code phishing campaigns.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 06 Dec 2023 13:43:05 +0000