A growing type of attack plays on users’ curiosity to see what is on the other side of QR codes.

Key Points

  • Quick Response (QR) codes are more familiar than ever to users and spark a natural curiosity to see where the QR code leads.
  • Users may not be aware that QR codes carry the same dangers as other potentially malicious URL links and can act in the same way.
  • Cybercriminals are taking advantage of the combination of users’ curiosity and lack of awareness ꟷ and this growing type of attack, called quishing, is on the rise.
  • Mimecast stops quishing attacks and continues to innovate with further security enhancements.

Quick Response (QR) codes are two-dimensional barcodes that can store data. They are made up of colored (though usually black) and white squares or pixels in a grid. A smartphone or other device camera can quickly process the information contained in a QR code’s specific arrangement of pixels. While QR codes were invented in 1994 by Masahiro Hara, chief engineer at Denso Wave to track vehicles and parts moving through an assembly line, today, they are widely used in marketing and advertising campaigns.

While QR codes have been in use for many years, they gained popularity during the days of COVID restrictions when restaurants replaced paper menus with digital versions accessed by scanning a QR code displayed on a sticker on tables or a standing table card tent.

Recently, advertisers have begun displaying QR codes in television commercials to give viewers direct access to more information about the service or product that is being advertised. Today, QR codes can be found pretty much everywhere, which unfortunately has made them a very useful tool for cybercriminals.

QR Codes are Actually Links to Webpages

Many people fail to realize that the QR code they are scanning with their device is a link to a webpage. The restaurant menu that is accessed via QR code is hosted on a web page. The video or other type of additional information advertisers promise will be on the other end of the QR code is hosted on a web page. And because any webpage can potentially contain malware or other malicious content, scanning a QR code can result in the same potentially devastating cyberattack that can be launched when clicking a link in a phishing email. The problem is that very few users recognize this danger.

An Opportunity for Cybercriminals

Malicious actors, in an attempt to capitalize on this new attack vector, are creating fake QR codes that mimic legitimate ones. These codes can be delivered to potential victims in many ways, including in an email, on a sticker covering a legitimate QR code, or even in images such as memes or videos posted to social media sites. Once the user scans the code, it takes them to a counterfeit website that may download malware or ask them for sensitive information.

Quishing Attacks are on the Rise

This attack type is called quishing, and although QR codes have been around for some time, quishing attacks have increased significantly in 2023. The increase is due to most users not yet being aware of the danger QR codes pose, a natural curiosity to find out what is on the other side of the QR code, and the fact that many email security programs that are designed to scan URLs for potential dangers are not yet equipped to scan for QR codes.

Mimecast Blocks Quishing Attacks

Mimecast is continually evolving the protection we provide to our customers. Given QR code attacks are very likely to continue, it is important to note that Mimecast already provides protection against quishing attacks in a variety of ways. Mimecast’s antivirus scanning looks for QR codes that lead to bitcoin wallets, helping prevent quishing attacks.

Additional Quishing Security Features Now Available

Mimecast products now have the ability to conduct deep scanning of URLs delivered via QR codes. This capability identifies QR codes in the body of an email (which is where over 90% of QR codes that are emailed appear), extracts the URL payload, and performs deep scanning of the URL. Malicious content will be blocked, and the message is rejected.

Further detection capabilities will continue to roll out to Mimecast customers in early 2024, ensuring that organizations are protected against this modern attack vector.

Learn More

To learn more about how Mimecast can help your organization combat these new QR-code-based quishing attacks, request a demo today.