Rewterz Threat Update – QR Code Phishing Campaign Targets Prominent U.S. Energy Organization

Severity

High

Analysis Summary

One of the US’s major energy companies was recently targeted by cybercriminals in a phishing campaign, where they used QR codes to transfer malicious phishing emails into target inboxes and bypass security. About 29% of the 1000 emails affected by this attack were victims of a notable energy company in the US, while the rest of the targeted emails were organizations in the manufacturing, technology, insurance, and financial sectors.

“The average month-to-month growth percentage of the campaign is more than 270%. The overall campaign has increased by more than 2,400% since May 2023”

Researchers note that this is the first time QR codes have been used in such a large-scale phishing campaign, warning that in the near future more threat actors may consider using it as their attack vector. The phishing email received in this campaign tricks the target user by claiming that they need to update their Microsoft 365 account settings urgently. There is a PNG or PDF attachment of a QR code in these emails that the target is urged to scan in order to verify their account.

These QR codes are embedded in images, so it becomes very easy to bypass security tools that scan mainly for malicious links. This way, the email reaches the victim’s inbox without any problems. Additionally, the QR codes have redirects in Bing, Salesforce, and Cloudflare’s Web3 services which take the users to a fake Microsoft 354 phishing page.

By using base64 encoding for the phishing link, exploiting legitimate services and hiding the malicious URL within the QR code, the threat actors easily avoid detection and carry out the campaign through email protection filters.

QR codes have been used in the past but on a smaller scale in phishing campaigns, notably in France and Germany. Multiple scammers have utilized QR codes to deceive victims into clicking them, redirect them to malicious websites and steal their money and credentials. The FBI has also warned about the increasing use of QR codes in cyberattacks.

Although QR codes are very effective in bypassing security, they still require the victim to actually scan them for the attack to advance. This works nicely in mitigating the threat for personnel who are well-trained in cybersecurity. Most QR code scanners also ask the user to verify the destination URL before redirecting them.

Impact

• Credential Theft
• Security Bypass

Remediation

• Implement advanced email filtering and security solutions capable of detecting and blocking phishing emails, even those with QR codes.
• Configure email systems to block or quarantine emails containing suspicious attachments, especially those with executable files or embedded URLs.
• Educate employees about the importance of verifying the destination URL before scanning QR codes, especially in emails or messages from unknown sources.
• Encourage the use of QR code scanning apps that provide URL previews or other security features to help users make informed decisions.
• Enforce MFA for accessing sensitive accounts and systems, such as Microsoft 365 or other critical services.
• Ensure that all software, including operating systems, web browsers, and security software, is kept up to date with the latest security patches and updates to address vulnerabilities that attackers may exploit.
• Develop and maintain a comprehensive incident response plan that outlines the steps to take in the event of a phishing attack. This plan should include communication protocols, containment measures, and recovery strategies.
• Conduct regular security audits and penetration testing to identify vulnerabilities in your organization’s systems and processes.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.