BIGFISH TECHNOLOGY LIMITED
24 September 2024

QR code phishing attacks bypass email security scanners and abuse SharePoint

Quishing, or QR code phishing, is quickly growing as threat actors change their strategies to avoid email security scanners.

Threat actors have added another degree of evasion to their phishing efforts by integrating QR codes, making it more difficult for typical security solutions to detect.

The most recent iteration, termed "Quishing 2.0," employs even more evasive methods than before.

A recent quishing campaign found by Perception Point's security research team exemplifies the intricacy of such assaults.

Threat actors take advantage of highly trusted systems like as SharePoint and online QR scanning services, combining them in a way that bypasses nearly every email security solution available today.

 

A Walkthrough Of A Quishing 2.0 Attack.

  1. Email Message: The target receives an email that appears to be from a legitimate business, possibly with a faked domain and impersonation of a trusted business partner. The subject line and attached PDF file indicate that it is a purchase order (PO).

  2. PDF Attachment: Inside the PDF document, the target sees a large QR code and instructions to scan it to view the entire purchase order.
    The PDF includes the impersonated business's physical address, which adds to its legitimacy.

  3. QR Scanning Service (Me-QR): When the target scans the QR code, they are sent to me-qr.com, which is a valid QR code production and scanning service.

    The page displays that the QR code was successfully scanned, along with a button labeled "Skip Advertisement." This step adds another layer of authenticity by utilizing a trusted service.

  4. SharePoint Folder: When the receiver clicks the "Skip advertisement" option, they are taken to a legitimate SharePoint page that appears to be associated with the impersonated firm. This is where the attacker makes full use of trusted services to conceal harmful intent.

  5. .url File and M365 Phishing Page: When the recipient clicks on the file in SharePoint, they are sent to the final payload, which is a phony OneDrive page.

    The Microsoft 365 login page, which is meant to steal the victim's credentials, appears over what appear to be scanned bills from the PO in the backdrop.

 

The Evasion Technique

Quishing 2.0 uses two QR codes. The first, or "Bad" QR code, directs to a legitimate SharePoint page associated with a compromised or spoofed company account, which links to the malicious phishing page.

The attacker submits this QR code to an online QR scanning service, such as me-qr.com, which extracts the URL and displays it following an advertising. The threat actors create a second "Clean" QR code from this result/ad page.

This "Clean" QR code is what targets would eventually view and interact with on the PDF file, appearing fully legitimate and avoiding first email security screenings.

Perception Point's Advanced Email Security use Dynamic URL Analysis and computer vision to peel back the layers of Quishing 2.0 and identify the harmful content.

The Advanced Object Detection Model examines the content as a user would see it, identifying clickable objects such as buttons or login forms.

When combined with the Recursive Unpacker, Perception Point automatically clicks through these pieces to trace the whole path of the assault, revealing the malicious payloads concealed beneath layers of seemingly genuine services and QR codes.

This multi-layered detection stack offers robust, real-time protection against all sorts of quishing attacks, highlighting the importance of sophisticated security solutions in combating emerging threats.

 

Source: Cyber Security News