In May 2023, a phishing campaign was launched that targeted a major U.S. energy company, as well as organizations in other industries, such as finance, insurance, manufacturing, and technology. The campaign used malicious QR codes embedded in PNG image attachments or redirect links associated with Microsoft Bing and well-known business applications, such as Salesforce and CloudFlare's Web3 services.
The emails in the campaign purported to be from Microsoft, and they claimed that the recipient needed to update their account security settings or activate two-factor authentication (2FA)/multi-factor authentication (MFA) within 72 hours. The emails also included a QR code that, when scanned, would take the victim to a fake Microsoft login page. If the victim entered their Microsoft credentials on the fake page, the credentials would be stolen by the attackers.
The campaign was successful in tricking some victims into scanning the QR codes and entering their Microsoft credentials. The attackers were able to steal a total of 100 Microsoft accounts, which could then be used to access sensitive information or launch further attacks.
A blog post from Cofense, which spotted the campaign, further details the scam, particularly the one aimed at the energy company.
This phishing scam is a reminder of the dangers of QR codes. QR codes are often used for legitimate purposes, such as paying for goods or services, but they can also be used for malicious purposes. Anyone who receives an email with a QR code should be sure to verify the sender before scanning the code. They can also hover over the QR code with their mouse or phone scanner to see the URL that it links to. If the URL is not from a trusted source, they should not scan the code.
Here are some additional comments from cybersecurity vendor representatives:
Patrick Harr, CEO at SlashNext:
"QR codes are another means to spread mobile-based phishing campaigns, and many mobile phones do not have phishing protection. A number of companies that offer QR code and short code creation have security to prevent hackers from using their service to create malicious QR codes. However, there are still many services that hackers can use, so it's important to have mobile protection against malicious links.
Bad actors have shifted their tactics to mobile-based attacks because most phones do not have phishing protection and mobile phones provide bad actors access to corporate accounts, banking information and other personal data."
Timothy Morris, Chief Security Advisor at Tanium:
"QR codes are the norm and a ubiquitous part of everyday life. We all love shortcuts, and QR codes are extremely beneficial and convenient. Users should be very suspicious of QR codes that come via email. Like with any phish, be leery of anything from unknown sources or that instills a sense of urgency. Report it as a phish, delete, or ignore. For enterprises, it is still important to employ good email security, use web content filtering, and provide user training."
Cybersecurity professionals are warning about the dangers of QR phishing campaign scams. They say that these scams are becoming increasingly sophisticated and that it is important to be aware of the risks.
Here are some of the things experts are saying about QR phishing campaign scams:
- These scams are often very convincing and can easily fool even the most security-conscious users.
- The scammers often use QR codes that are embedded in images or links in emails or social media posts.
- Once the victim scans the QR code, they are taken to a fake website that looks like the real website of the company or organization that the scammer is impersonating.
- The victim is then tricked into entering their personal or financial information, which the scammer can then use to steal their identity or commit fraud.
To protect oneself from QR phishing campaign scams, experts recommend the following:
- Be suspicious of any email or social media post that asks to scan a QR code.
- Only scan QR codes from trusted sources.
- If not sure whether a QR code is legitimate, do not scan it.
- Anyone who does scan a QR code and thinks it may have been a scam, they should change their passwords immediately.
Here are some additional tips to help stay safe from QR phishing scams:
- Use a security solution that can scan QR codes for malicious content.
- Keep operating systems and software up to date.
- Be careful about what information is shared online.
- Only click on links from trusted sources.