Page 158 - Cyber Defense eMagazine December 2023
P. 158
Now, hackers are embedding malicious QR codes into shopping coupons, phishing emails, payment
sites, and social media accounts – also known as “quishing” attacks.
As technology becomes smarter, so do hackers, and individuals need to be mindful of these new methods
so they can stop attackers in their tracks. With proper cybersecurity training and the help of AI, quishing
can be avoided, and QR code technology can be used to its advantage.
QR Code Attacks’ Secret Weapon: Creating a False Sense of Trust
Imagine you receive an email from your bank, informing you about a security update for your mobile
banking app. The email explains that you need to update the app immediately to prevent any potential
security breaches and keep your finances safe, so you scan the QR code with your mobile device –
redirecting you to a site that replicates your bank's interface and prompting you to enter your login details.
The update is seemingly “successful.” A couple days later, you have several unauthorized transactions,
your account has been compromised, and you realize you are a victim of a QR code attack.
Quishing attacks utilize social engineering tactics that make individuals more susceptible to the threat.
These attacks frequently exploit the trust of people who use their mobile devices for regular digital
interactions, such as emails, messages, or payment sites. This creates a false sense of familiarity,
directing victims into a deceptive comfort zone to give out their credentials. Specifically, attackers mainly
use quishing attacks to spread phishing links, malware downloads, or compromise a device.
QR Code Attacks: Emails, Malicious Downloads, and Compromised Devices
QR code attacks can manifest in different ways which present unique threats to individuals' security.
Quishing often comes in the form of a malicious email link, prompting recipients to scan a QR code and
redirecting them to a counterfeit website that masquerades as a trusted application or service. Individuals
are then encouraged to submit their personal information or login credentials, unknowingly offering their
personal data to the attacker. Additionally, quishing attacks can also come in the disguise of surveys that
ask victims for their personal information, including their social security number. These malicious links
and forms serve as bait for victims, making it easy for attackers to receive personal information.
Malware from malicious websites can also automatically be downloaded to a victim’s device. The
dangerous malware can range from spyware to ransomware, granting attackers the ability to pilfer data
or even seize control of a victim's device – serving as a huge threat to individuals' security.
Additionally, scanning a QR code can be used to open payment sites, follow social media accounts, or
send malicious email messages from a compromised victim's account. This tactic allows hackers to
impersonate their victims or target others in their network.
Cyber Defense eMagazine – December 2023 Edition 158
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.