A new phishing campaign, Quishing, uses QR codes to trick victims into clicking on a compromised link. Access data for the Microsoft 365 cloud applications are to be stolen.
Phishing is one of the greatest threats to IT security, as is well known by now. Most companies have taken steps to at least contain the tide of ongoing campaigns. As a result, the attackers also have to keep upgrading and come up with new tricks. The cybersecurity researchers from Abnormal Security are now reporting on a new phishing campaign. Cyber criminals try to lure their victims to fake Microsoft 365 pages using QR codes in order to steal user data there. This procedure is also called quishing.
Quishing, phishing with a difference
The current case seems to be the further development of an already known campaign to steal user data for the Microsoft 365 cloud service. In the original emails, a URL was supposed to lead to an alleged voicemail that should be listened to after entering your login details. But this link was soon recognized as infected by common antivirus programs and blocked. The criminals had to come up with something new and replaced the link with a QR code. In many cases, this is not recognized as dangerous by common virus scanners, as they only see a supposedly harmless image file.
The phishing e-mails are sent from e-mail accounts that are already infected with malware and that are backed by real employees at real companies. This gives the campaign additional credibility. How exactly the criminal backers gained access to these e-mail accounts is not yet fully understood.
Quishing target: Microsoft 365 logins
If the victim scans the QR code and follows the link contained in it, they are directed to a deceptively real-looking fake login page for Microsoft 365. There it will be asked to enter its user data in order to be able to listen to the voicemail announced in the e-mail. If the victim follows this request, their data falls into the hands of the criminals and can then be used to spread ransomware or other malware. More and more often, stolen data is simply resold to other criminals, which often makes it even more difficult to identify the actual data thieves.
At first glance, the detour via a QR code seems unnecessarily time-consuming. After all, the victim usually needs a second device with which they can scan the QR code before they can access the compromised site and enter their data. But for the criminals, this approach has the advantage that they are much less likely to be tracked down by security software. As long as the victim does not notice that the mail came from a hijacked e-mail account, many people should feel safe. Activating multi-factor authentication, on the other hand, provides largely reliable protection against quishing. This means that criminals have not yet been given access to the account despite the access data they have captured.
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.