This guest post was contributed by Allen Lieberman, Chief Product Officer, Tessian.
From banking enrollments to package deliveries, QR codes are everywhere. They provide the quickest way to drive mobile web traffic when you can’t have a direct link. And as the usage of QR codes grows, they are being used to exploit vulnerabilities. QR code phishing (where folks scan a QR code which tricks them into downloading malware or sharing sensitive information) is an emergent threat that is evading traditional defenses like secure email gateway.
This attack technique, along with exec impersonations, spear phishing, and social engineering, has become one of the top concerns for email threat defense. The problem? Well, there’s two:
Secure Email Gateways, the most common method of email security today, focus on identifying malicious urls, not images like QR codes with malicious URLs embedded in them.
Attackers are finding other gaps not considered by secure gateways, like changing display names to impersonate relationships, or redirecting attacks using legitimate but compromised domains. Any method of bypassing rules based systems, they’re going to find them.
In a single day, cloud email security provider Tessian stopped over 3k QR code phishing attacks in their tracks. Here are the five tactics that can stop QR code phishing attacks:
QR Code Detection: this method leverages advanced scanning technologies and threat intelligence to identify and block malicious QR codes within emails. By extracting the URLs from QR codes for analysis, an email security tool can proactively prevent these threats from reaching employees’ inboxes in the first place, ensuring that the scam cannot be successful. This is arguably the most reliable and effective method of the five as it removes the threatening link from being clicked on, even accidentally or inadvertently.
Perceptual Hashing (P-Hashing): This technology detects the re-use of images that have been known to be part of phishing attacks. It stores the “p-hash” or “fingerprint” of media and can detect when emails use a similar image in the future. With this tactic, a database is constructed that holds a collection of image hashes that would be blocked. Every time an email is received, the attached images are hashed using a perceptual hashing function and compared to our collection of known malicious image hashes using their hamming distance. If a similar hash is detected in the inbound email, we can act under the assumption that the email is malicious and act accordingly. In the future, we expect to see a wide range of applications of perceptual hashing, including using perceptual hashes to detect brand logos being used to impersonate vendors. As it stands for use currently, it works when the QR code is paired with text, images or logos as it picks up color (versus black and white images) and cannot pick up a standalone black and white code on its own.
Image Optical Character Recognition (OCR)-Based Detection: This detection scans attachments for the presence of a QR code by picking up on patterns and keywords that indicate a QR code would be present. Anything with specific verbiage like “scan the code” would be flagged and further investigated by this technology. While folks are likely to be more wary of opening attachments than engaging with a QR code that is embedded in the copy of an email itself, in cases of spoofing or the use of lookalike email addresses, the recipient could think they have a pre-existing relationship with the sender that they do not and let their guard down to open the attachment with the malicious code.
URL Analysis: This new service carries out analysis of URL landing pages and returns an assessment of maliciousness along with detailed information about the page. This technology uses third-party machine learning models to assess risk. This would allow users to be notified when the URL sent to the user appears to be safe, but redirects to a web page intended to impersonate a brand, harvest credentials, and/or download malware onto the user’s device.
Behavioral Analysis: This method uses analysis of an employee’s behavior to understand the sender's relationship with the recipient. If an email comes in where a character is off, or it is a lookalike domain, this analysis will alert the email recipient to the spoofing or lookalike email address and to proceed with caution when opening an email from this domain on their organization’s network. The idea here is to set an alarm about the email being suspicious before it is even opened.
While QR codes are intended to make our lives easier, enterprises need to ensure that they are set up to securely interface with them and that their teams are aware of these attacks taking place to ensure that they stay vigilant.
###