Unknown Speaker (3:30)

So it's obviously not a normal thing, right? We don't see QR codes being attached or shared, but it is becoming more prevalent in our day to day lives. When we are going to even certain restaurants, they don't even have a menu anymore, they give you a QR code. And when it comes to emails, more and more companies are trying to use QR codes, but it's a fast way to engage with users and get them to either buy their products or learn about some of their services. And as this is happening, cybercriminals are actually taking advantage of those tactics and being able to utilize. So yeah, it's, it's kind of becoming more and more norm publicly and now businesses are utilizing those as well.

Adam Kahn (4:22)

Well, let's dig into the research here together. You all took a sort of an extended look at, at phishing emails that had QR codes embedded in them.

Unknown Speaker (4:33)

Yeah, that's correct. So we actually did the research from all the way from 20, 24 and 20, from June to September's end and over, like I said, half a million emails that had PDF attachments and QR codes embedded in them. And they're impersonating legitimate brands such as Microsoft. It's a public company that a lot of people are utilizing their products and services, especially in the business sector. And it becomes an easy tactic for attackers to engage users into utilizing verbiage such as urgency to take some of those actions. And the research found that Microsoft was about 51% of the overall QR code attacks that we've been able to attribute to, followed by 31% to, to DocuSign and 15% were attributed to Adobe.

Adam Kahn (5:38)

And what do these typically look like? I mean, are they impersonating login pages of these popular brands? How does it shape up here?

Unknown Speaker (5:48)

Great question. So these cybercriminals are tricking victims by sending them basically a one pager document, right? Or embedding the QR code within the email itself. They're asking users to verify their accounts or reactivate their MFA or review or document wire DocuSign or Adobe. And the way it looks like you will have a message from the attacker and this could be a spoofed email that they could do, they could utilize to generate this email and they'll embed the QR code in the email itself or the attachment. And the attachment basically has, hey, this is a message from your administrator or from Microsoft, the vendor itself, asking you to verify your credentials or reactivate your mfa. And when the users are utilizing their phones, they're urged to use their phone's camera to scan the QR code, which takes them to an actual malicious website where these attackers are able to get their login credentials or distribute malware on the mobile device, or take them to a fake payment portal site.

Dave Buettner (7:10)

We'll be right back.

Unknown Speaker (7:16)

And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories, we're talking when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products for from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefor.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Buettner (8:50)

The IT world used to be simpler.

Unknown Speaker (8:53)

You only had to secure and manage environments that you controlled.

Dave Buettner (8:57)

Then came new technologies and new ways to work.

Unknown Speaker (9:00)

Now employees, apps and networks are everywhere.

Dave Buettner (9:04)

This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.

Adam Kahn (9:26)

You know, it's interesting when I think about the evolution of some of these attacks. You know, we've said for years, you know, never click the links. And I think we would give folks advice that, you know, if there's a link in an email or something like that, you know, hover over that link so you can see what the actual URL is beneath the text of the link. But it seems to me that in some ways QR codes kind of short circuit that kind of scrutiny.

Unknown Speaker (9:56)

Absolutely. Yeah. It's bypassing the whole, you know, concept of embedding URLs inside, you know, some sort of image. You actually have an image which is the QR code which is taking you to another site. So it becomes very tricky for users to kind of being able to see, okay, this is a phishing email or this is something that's you know, malicious and I shouldn't engage with it. So yeah, it's definitely a new tactic and it's very clever that these cybercriminals are utilizing.

Adam Kahn (10:32)

Does using QR codes make it easier for these messages to bypass, say, spam filters?

Unknown Speaker (10:39)

To a certain extent it does. Right? Spam filters are basically looking at certain content in certain URLs and certain domains. But when you look at advanced email protection software, and then that's actually utilizing AI to do image recognition, when it sees images such as QR codes, it's able to block them before it reaches the user's email.

Dave Buettner (11:08)

So what are your recommendations then based.

Adam Kahn (11:11)

On the information you all have gathered here? How should folks go about best protecting themselves?

Unknown Speaker (11:16)

So I think there's a couple of things users need to look at, right? So one of the first things is look at unexpected emails. Like receiving an email with a QR code from an unfamiliar email address, especially if it contains unsolicited attachment and link, is the red flag, right? You're getting it from an untrusted source. Let's say getting it from a source that you're not familiar with is another one. Promotion offers is another big thing. I know it's very tempting. Some of these QR codes that are being sent and the offers seem to be too good to be true, and they're offered, presented with a QR code to trap the user and there's again some suspicious messages that could be sent where they're asking you to take immediate action and payment. I think these all kind of fall into the user awareness and training category. So making sure the users understand what QR code phishing is, what type of tactics are utilized, and how to go about protecting against those is key. So that I would put that in one category. The other thing is utilizing a multi layer email security that leverages AI. These tactics are so advanced and like you mentioned, spam filters only are going after certain domains and certain artifacts within the email. But when you have images and AI is, as we've seen, is really good at analyzing these images, being able to decipher between a legitimate one and a malicious one. So having a multi layered security helps protect against these attacks before they reach the users themselves. And lastly, I would say I can't stress enough. There's so many organizations, Dave, that I deal with on an ongoing basis that still don't have MFA enabled across the entire infrastructure. Right. Protecting against not just QR code phishing, but against multiple attacks. So those are the three big buckets.

Unknown Speaker (13:31)

I would say.

Dave Buettner (13:42)

Our thanks to Adam Kahn from Barracuda for joining us. The research is titled the Evolving Use of QR Codes in Phishing Attacks. We'll have a link in the Show Notes. That's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next.