With the increased level of user awareness of the dangers of online phishing and the effectiveness of modern browsers in blocking malicious downloads, cybercriminals are innovating their tactics. One of the most insidious methods that has recently emerged is the use of QR codes in paper messages, a means of exploiting users’ trust in traditional correspondence.
Quishing: what is it?
Qhishing is a rapidly growing cyber threat that exploits the popularity of QR codes. Unlike traditional phishing, which relies on e-mails or messages, Qhishing uses malicious QR codes to redirect victims to fraudulent websites or to download malware.
How does Quishing work?
Cyber criminals create QR codes specifically designed to look legitimate, often embedded in promotional materials, e-mails, or even physical signs. When a victim frames the code with their smartphone, they are automatically redirected to a website that mimics the appearance of an authentic site, such as that of a bank or online service. Once on the fake site, the user may be tricked into entering sensitive information, such as login credentials or credit card details.
The Swiss case
In Switzerland, attackers distributed fake paper messages apparently from the Federal Office of Meteorology and Climatology. Inside the letters, a QR code led to a counterfeit application called ‘Alertswiss’, presented as a weather catastrophe warning system.
Users who scanned the QR code and installed the application instead found themselves hosting on their Android device a malware known as Coper, designed to steal sensitive data from over 380 applications, including banking applications. Although the exact number of compromised devices was not stated, it is certain that Android devices were the main target.
Quishing in Europe
This case highlights how a similar strategy can be replicated in Europe by exploiting local institutions to make phishing messages credible. Examples of scenarios that can be adapted to the European context include:
- False alerts from government institutions: letters appearing to come from government agencies containing QR codes promising quick access to important documents or personal information.
- Banking security alerts: European banks could be used as bait. QR codes in paper messages could lead users to install malicious applications passed off as official security tools.
- Health notices: at a time of public health concerns, bogus letters from organisations such as the Ministry of Health or local health authorities could be accompanied by QR codes directing to fake applications related to the management of vaccinations or health data.
Why does it work?
The success of this type of attack lies in a few key factors:
- Immediate accessibility: the QR code eliminates the need to manually type in a URL, increasing the likelihood that the user will follow the link.
- Sense of urgency: attackers often accompany the message with language that incites quick action, reducing the time to reflect on the legitimacy of the request.
- Trust in paper: users tend to perceive paper messages as more authentic than digital communications.
How to protect yourself?
- Do not trust blindly: even a paper message can be falsified. Always check the source before scanning a QR code.
- Protect your IT infrastructure: with 24-hour monitoring and response systems that can analyse the content of a link in real-time and nip the infection in the bud.
- Update your devices: keep your operating system, patches and security tools up-to-date to reduce the risk of malware infections.
- Education and awareness: companies and institutions should invest in user education, showing examples of phishing via QR codes to improve the level of attention.
In conclusion
Qhishing is emerging as a new and dangerous mode of attack, capable of deceiving users by exploiting trust in paper messages. The Swiss case highlights how phishing methods can also evolve rapidly to bypass traditional defences. Technology evolves, and so do threats. Recognising and addressing these risks early on is crucial to protect the security of companies.
Analysis of Vasily Kononov – Threat Intelligence Lead, CYBEROO
