Sophos describes a QR code phishing (quishing) marketing campaign that focused its workers in an try to steal data.
The attackers despatched phishing emails that seemed to be associated to worker advantages and retirement plans. The emails contained PDF attachments which, when opened, displayed a QR code.
If an worker scanned the code, they might be taken to a phishing web page that spoofed a Microsoft 365 login type. The web page was designed to steal login credentials and multi-factor authentication codes.
One in every of Sophos’s workers fell for the assault, exhibiting that even cybersecurity corporations are susceptible to social engineering. Phishing hyperlinks contained in QR codes usually tend to evade detection by safety filters, and people are much less prone to discover that the URLs are suspicious.
“We within the safety business usually educate individuals resilience to phishing by instructing them to rigorously take a look at a URL earlier than clicking it on their laptop,” Sophos explains.
“Nonetheless, not like a URL in plain textual content, QR codes don’t lend themselves to scrutiny in the identical means. Additionally, most individuals use their cellphone’s digital camera to interpret the QR code, slightly than a pc, and it may be difficult to rigorously scrutinize the URL that momentarily will get proven within the cellphone’s digital camera app – each as a result of the URL could seem just for a couple of seconds earlier than the app hides the URL from sight, and in addition as a result of menace actors could use quite a lot of URL redirection methods or providers that conceal or obfuscate the ultimate vacation spot of the hyperlink introduced within the digital camera app’s interface.”
Sophos has noticed an growing variety of quishing makes an attempt over the previous few months, and these assaults are rising extra subtle.
“All through the summer season, samples have change into extra refined, with a larger emphasis on the graphic design and look of the content material displayed inside the PDF,” the researchers write. “Quishing paperwork now seem extra polished than these we initially noticed, with header and footer textual content custom-made to embed the title of the focused particular person (or a minimum of, by the username for his or her electronic mail account) and/or the focused group the place they work contained in the PDF.”
KnowBe4 empowers your workforce to make smarter safety selections daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.
Sophos has the story.