Sometimes you just have to admire the scammers. Now it’s QR codes, curiosity, and while it may or may not kill the cat, it could quite possibly smash your wallet. Or, as those of us in the infosec industry are liable to say, worse. From one QR scan, scammers could quite feasibly make it all the way into the company’s crown jewels.
Check out this article on the Advantage website. You know how those QR codes are all over everything these days? (long after the time we all thought ‘that’ll never catch on’.) That’s because QR codes have, in fact, caught on. For example, plenty of restaurants these days sport a code on the table; scan to order.
Unless of course, the scammers have been and replaced the code with one taking you to a spoof website that looks like the real thing. Place your order, and boom! A stack of money leaves your bank account, and no filet mignon for you.
As the linked piece so ably points out, ‘QRuisity’ can cause all kinds of trouble. Scammers have figured out that all it takes to get someone onto a dodgy website is putting a QR code in the right place, and the victim enthusiastically does the rest.
You can see the potential in this hack. Combine the QR code with a ‘too good to be true’ offer, place it somewhere folks will have their guard down (like the bathrooms of a pub or restaurant? At a concert or sports venue? Random flyers in Courtney Place?) and the target may well be caught with their pants down. Figuratively, of course. Scan the dodgy QR code, and who knows what sort of an exciting night awaits.
Oh, and sorry about this, but the industry has a whole new and discomforting term for these sorts of attacks. Quishing.
Online publication Infosecurity points to a study saying up to 22% of attacks in early 2023 started out with quishing, so it is happening in the real world. A notable observation is that marcomms people are most likely to fall for a QR scam, while those with legal responsibilities are less susceptible – probably nothing more in that, than marketing people work and are perhaps more comfortable with the codes.
Be that as it may, we haven’t seen any direct incidences of the QR phishing attack in New Zealand yet. However, we are of course watching closely; in fact, those of us in infosec spend plenty of time on theoreticals, hypotheses, and seeing what’s happening elsewhere. There’s good reason for that, because our perpetual foes are diabolically clever, and they’re more international than James Bond.
Necessity being the mother of invention, the best place to start explaining why their minds never rest is looking at necessity: nearly all of them are doing what they do for money. The easier the money, the better (though as recently noted, some of these geniuses go for the long con and the big payoff, using the viscerally named ‘pig butchering’ technique).
But what quishing really tells us is quite simple, and yet another timely reminder of what infosec is all about. You are being attacked all the time. It isn’t paranoia if someone really is out to get you. Taking care of the basics means taking care of most of the threats out there, and the basics must include constant, repeated, and updated education for your people.
Social engineering and taking advantage of human nature, which absolutely includes curiosity, is probably one of the hardest techniques to defend against, and quishing definitely leverages just that.
So, the advice on this one? Be aware. Quash the quish. Don’t let QRiosity get the better of you, or your people. Offers that are too good to be true, are too good to be true. Whether they come via door knock, phone call, email, or QR code.
