Don’t call it quishing but, please, do take it seriously

Quishing is without doubt the most ridiculous name that cybersecurity vendors have given to a threat. That, however, doesn’t mean that phishing (which isn’t far behind) attacks using the QR code vector aren’t dangerous. Cybercriminals are always looking for new attack methodologies to steal credentials and gain access to accounts and systems, and QR codes are becoming an increasingly common one.

QR codes have been around for years, but they gained a second life during Covid lockdowns. You probably remember being asked to authenticate your vaccination status when entering restaurants and pubs. They’re increasingly used to facilitate ‘at table’ ordering of food and drinks, too.

The public soon got used to the things, having been largely ignored by most people for over a decade.

What is quishing

Fast-forward to now and just about every parking meter or pay-to-park station has a QR code stuck to it that launches an app or site where you can take out a mortgage for 30 minutes of car parking time.

I mention the parking thing as this is the first really targeted technology where criminals have prioritised QR code phishing. Either using fake code stickers over the real ones that lead to a malicious payment site where card details can be collected alongside payment, or simply sticking one onto a machine where none existed in the first place.

UK roadside rescue service RAC even issued a warning this month to urge motorists to be aware of the threat. Note to the RAC: calling this the ‘Be QRareful’ campaign is neither big nor clever, and likely to drive people away from your messaging.

Microsoft quishing

Just this week, a threat research engineer at Netskope warned of a huge increase in the use of Microsoft Sway (a free cloud-based app that lets Microsoft 365 users create visual documentation and presentations) to deliver phishing traffic using QR codes.

“The abuse of Microsoft Sway in this campaign further emphasises that threat actors have a ready-made easy way to bypass many automated security controls,” warned Max Gannon, Cyber Intelligence Team Manager at Cofense, “by simply abusing a trusted sharing service.”

This subversion of a perfectly legitimate and useful Software-as-a-Service offering, including the likes of scanning QR codes in multi-factor authentication device registration workflows, shows how such common routines can be compromised.

Glenn Chisholm, Chief Product Officer at Obsidian Security, pointed out that the Microsoft Sway attackers hosted things behind another legitimate service, using a CAPTCHA, to obfuscate detection from automated scanning tools.

“More concerning” Chisholm said, “is the fact that this attack is combined with Adversary-in-the-Middle tooling, which is used to steal session tokens and bypass most common forms of MFA, making the attack effective against even well-defended enterprises.”

So, start taking QR code threats seriously, secure SaaS applications “and use security providers to identify and nullify potential threats,” Chisholm concluded.

Related:

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP