Published:
03 October 2023
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2023.0180
Quishing attacks
3 October 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Quishing attacks
Resolution: Mitigation
OVERVIEW
AusCERT has recently observed a surge in incidents of "quishing" and
aims to proactively inform its members regarding this emerging threat.
Quishing, also known as QR Code phishing is a type of cyber attack which
involves tricking someone into scanning a QR code using a mobile device.
These QR codes are designed to mislead users by appearing legitimate,
often resembling QR codes found on product packaging, promotional
materials, or even in public spaces.
Upon scanning, the malicious QR code has the potential to redirect users
to fraudulent websites, thereby exposing them to risks such as identity
theft, financial fraud, or the installation of malware on their devices.
The distribution of malicious QR codes can take place through various
channels including email, social media, or even physical flyers.
During the previous week, AusCERT conducted analysis of email samples
submitted by its member organisations. The findings revealed that email
recipients were being prompted to scan a QR code, and the majority of
these emails falsely claimed to originate from a manager within the
respective organisation. AusCERT observed that the QR code embedded
within the email contained a URL leading to a deceptive website,
impersonating reputable brands or organisations such as Microsoft.
This fraudulent site then prompted the recipient to provide their
credentials.
MITIGATION
To avoid falling victim to QR code phishing, here are some recommended
precautions:
1. Be cautious of the source: Only scan QR codes from trusted and reputable
sources. Avoid scanning codes from unknown or suspicious sources,
especially if received through unsolicited messages or emails.
2. Preview the URL behind the QR Code: To reduce risk, utilize a QR
scanning tool that provides a preview of the URL contained within
the QR Code. Options available include:
- Inbuilt camera of an iPhone previews the domain that is
encoded in the QR Code.
- You can also use a Free QR Code Scanner to read the content
of a QR code (Note: Please make sure to check privacy policies
first). DNS Checker (https://dnschecker.org/qr-code-scanner.php)
is one of the free tools that is available online.
3. Use a QR code scanner with built-in security features: Opt for a
reliable QR code scanner app that includes security features, such
as URL scanning or warning notifications for potentially harmful
websites (Ex: QR Scanner-Safe QR Code Reader
(https://play.google.com/store/apps/details?id=com.trendmicro.qrscan))
4. Keep your devices updated: Regularly update your smartphone or other
scanning devices with the latest security patches and firmware updates.
This helps protect against known vulnerabilities that attackers may
exploit.
5. Be cautious of personal information requests: If a scanned QR code
prompts you to provide personal information, such as login credentials
or financial details, exercise caution.
Legitimate sources typically do not request sensitive information through
QR codes.
Additionally, organisations are encouraged to promote awareness and educate
their staff about the risks associated with QR code phishing and implement
security measures to mitigate these threats.
By staying informed and taking proactive steps, we can help minimise the
impact of QR code phishing attacks.
More information:
https://techwireasia.com/2023/08/quishing-attacks-on-the-rise/
https://www.malwarebytes.com/blog/news/2023/08/qr-codes-deployed-in-targeted-phishing-campaigns
https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/five-common-qr-code-scams
REFERENCES
[1] Quishing attacks
https://auscert.org.au/blogs/quishing-attacks/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZRvHbckNZI30y1K9AQjoKQ//Vg4z5ENR8opgx9tsgwVmRPrs8Jc4xoo6
V2WBljbtovO7e1/eKzDQMTbrWumSu55DCnXTFRG5Etcurd+PACAG+hXybnlz45UQ
QNWjz6lVV1pJcqwMAY+c4nl99ltGGONlwPtmXzGbFv4aiIxd2MlDn9F+vX/TKIrX
GCJHyEt07Pk4a0bLkSIc7snMKtt5+gWsdylwJsleIcyNx3EC9jJGj3ZmqWt00MKD
151ugBSi7K8uJb+RGdWXw+7nMD9v9IvIjQ1/V7iOXObRcLZhd/43ToIobCYS3BQO
Wpmgg/wDFE52o4HDHO+djnugl3wXKXkZR1CfI5uG+0Lpo7TqNtcRRlSGtsg++skb
Ivp+WXJAivH2lGhRNwidbaWa0ME8Jwkl4hFm0e/d8W5blgxuYY3f3kF8qwTtJ318
0WWHH6YiPcLFWWZhDEYJQ/cK8Sq/b8r5Rcw+5sjfgbj6mOk/GJ6zAsYri0mOpZb+
tDZVrhFzTyiQzsqgbm6F3Whq5+iJhUic3l1UcZBtlqv32rq/OqvsyHHBKviAX40z
qa1jEpwz+BqKxFsGS+mxhojhTsLx243RRTDqtDDewpFOoGdpJO+IoPcEIWm7xWwW
RTyVCSadXasQU9b71xe58sKpNDRo28r9BW6CPzHOPPrhGjuPfgYnVSdkaW0cH7tp
+cByNNuJYsY=
=LKid
-----END PGP SIGNATURE-----