During the Covid-19 pandemic, a small, black-and-white square established itself firmly between vaccine selfies and curfews: the QR code. Not much earlier, it had been presumed dead and hardly worth reaching for the smartphone, but now it quickly turned into a sort of all-purpose tool. Rapid tests, warning apps, vaccination certificates, train tickets, contact-free payments… or in a nutshell: the gateway to normal life. It is a well-known fact that there is no light without shadow. And so, the potential for danger that is contained in this inconspicuous little box is terrifying.
The Calamitous Comeback of the QR Code
QR stands for ‘quick response code’. A two-dimensional barcode, it appears to be the natural and organic result of our desire to access everything as quickly and easily as possible – with everything only one scan away. It allows immediate transfer of large amounts of information. Both its ease of use and the pandemic acted as catalysts for a new kind of phishing attack: so-called quishing, a term combining ‘QR’ and ‘phishing’.
In traditional phishing attacks, cybercriminals use dubious emails, instant messages or websites to fish for passwords and other personal data.
In the case of quishing attacks, criminals take advantage of the above-mentioned characteristics of QR codes to hide deceptive information behind the black and white checks. Quishing emails are usually designed with great care – you could even say, lovingly. They are made to look authentic. Apparently, it is no longer in vogue among cybercriminals to try and woo potential victims with the news of a multi-million dollar inheritance. Even though some of the potential recipients would certainly enjoy an imaginary trip to a dream summer residence in Saint-Tropez, especially during the dark winter months.
Today’s cybercriminals prefer a subtle approach. They target the weaknesses of the human spirit. The feeling of unbearable torture when you have to deal with troublesome procedures. So they threaten to close a bank account or the user account of a favourite online shop.
Contactless Conception Followed by the Fall
Conventional security mechanisms only scan standard attachments and URLs. However, those measures tend to fail with QR codes. Among the most popular schemes are requests to accept an updated data policy or prompts to set up a new security procedure. And of course, this is all to be done simply and comfortably by scanning a QR code. The criminal toolbox even contains important documents, to be downloaded effortlessly through a QR code.
It is understandable that the recipients want to get rid of this unpleasant mixture of emotions as quickly as possible: the impression of being forced to action, combined with the desire to turn to more enjoyable things right now. But who doesn’t like to relish the feeling of productivity after having taken care of that annoying bank issue? Scanning the code is only a matter of seconds – often with disastrous consequences. Unlike the case of Holy Mary, this contactless conception can turn into sin.
Morays Lurking for Data
Those who comply with the deceptive requests find themselves on forged websites, made up with painstaking attention to detail. After all, the header must sport the exact same shade of royal blue as the Volksbank logo that was nicked off the original website. Various techniques are employed to disguise malicious links and bypass warning messages. A common method consists in misusing content management systems like WordPress and their plugins. Hidden behind fake landing pages, they lure potential victims into their trap. There have also been reports of cybercriminals using Google’s feed proxy server ‘FeedBurner’ for redirection purposes. Another common practice is the use of a custom domain for the redirection process as well as the phishing site itself. Danger is imminent – even if malware defence systems fail to sound the alarm.
Once the perfect delusion has been created, cybercriminals only want one thing: personal data. Like a moray eel lurking in its cave, waiting to get hold of usernames and passwords. Too many recipients forget all precautions when their working day is drawing to a close, with a sundowner calling to them from the terrace. They miss the additional letter in the URL, and only seconds later, their data has been entered into the deceptively realistic-looking registration interface. Phishing URLs targeting Sparkasse customers often start with ‘spk-’, while ‘vr-’ is a common prefix for forged Volksbank sites.
In occupational environments, there is a particular risk when private smartphones bypass a company’s internal security mechanisms. Quishing is ideally suited for this purpose. Once the dangerous code has been scanned, malicious content secretly infiltrates the mobile device. From there, it quickly reaches email inboxes, contact details or documents that are managed through cloud solutions. The perfect gateway. If such an attack occurs and affects critical data, the fire is likely to spread and infect company resources. A type of malware that has recently attracted particular attention is ransomware. Its threat potential is enormous. A sinister imperative, and according to the BSI (the German Federal Office for Information Security), its capacity for damage is multiplied when it affects company networks.
Quishing e-mails from the Volksbank & Sparkasse
Digital Reginheris
The purpose of ransomware is to encrypt user data. Once this process has been completed, the victim faces a ransom demand. The number of affected companies is shockingly high. Their IT and business processes are disrupted. What is more, the criminals often threaten to disclose or sell the data. They target companies of all shapes and sizes. According to the Cyber Readiness Report published by Hiscox in 2022, 48% of German companies pay ransom money after such an attack. The extorted amount is often in the six-figure Euro range. According to the BSI, however, eight-figure sums have been demanded in some cases.
Many victims are shocked to find that criminals continue to make demands even after they have paid up. One might think that the perpetrators could have sprung up from a moderately exciting history documentary. Those scenarios are reminiscent of the year 845, when the Viking leader Reginheri put Paris under siege. Charles the Bald, king of West Francia, decided that resistance was futile and paid a sum of 7,000 pounds of silver for the Danish troops to withdraw. Similar to their colleagues in the cyberspace 1,200 years later, the Norsemen and shield-maidens were unable to resist the temptation to extort further payments. So they continued their attacks.
Modern criminals may not sport braided beards or wear battle axes on their shoulders, but they are serious about their demands, even when the ransom has already been paid. Whether they give in to extortion attempts or not, the consequences are usually grave for individuals, businesses and public institutions. Quishing can cause massive damage: loss of data and reputation, GDPR breaches or financial loss, to name but a few.
How Can I Protect Myself from Quishing?
The question may not have the same cinematic potential as Viking attacks, but it holds just as much suspense: how can you protect yourself from quishing?
“If in doubt, do not scan any QR codes” – this is a rather obvious, but nonetheless valid answer. However, problems tend to arise in cases where there do not seem to be any doubts. Cybercriminals are skilled in exploiting deeply ingrained human dispositions and needs to manipulate individuals – so-called social engineering. It only takes a splash of ignorance to complete the cocktail of catastrophe. This is what makes it so difficult to protect oneself without fail. Still, there are a few simple rules that help minimise the risk:
- Treat QR codes as if they were links. Whether you find them on guerrilla campaign posters, on documents or in emails, QR codes are essentially links and pose the same risks.
- Do not enter any sensitive data. Reputable service providers will never send an email asking you to supply confidential login credentials.
- Always check the email address or the browser address bar if you are already accessing a dubious webpage.
- Check emails and website content carefully. Amusing typos are no longer a distinctive feature of cybercrime. Most texts are well-phrased. Still, the BSI mentions several characteristics that should arouse suspicion, even if only one of them applies:
- Urgent need for action
- Threats of serious consequences in the event of non-compliance
- Request to enter sensitive data
- The email contains links, QR codes or forms
- Unusual requests from a known person or organisation
- If in doubt, double-check through an official communication channel of the service provider in question
- Never download or open files from email attachments or websites unless you are absolutely sure that they are genuine.
Use two- or multi-factor authentication. Even if criminals manage to get their hands on your data, they will still be missing an additional factor to log in.
Just like images of smokers’ lungs on cigarette packages, fear-mongering and simplified rules of conduct are only moderately successful – they are usually forgotten after just a few days. This means that information security must be integrated into the corporate philosophy. Therefore, our most important tip is to provide continuous training and raise the awareness level in your company. With this in mind, we offer our Information Security Course with comprehensive information on the various risks of criminal cyberattacks. It remains a fact: ignorant employees still provide the biggest target for all kinds of cyberattacks.
