What Is Quishing?

What Is Quishing Banner
Sebastian Salla author profile photo
Sebastian Salla Published: November 27, 2024
Follow:

Quishing, short for QR code phishing, is a type of sophisticated phishing attack where scammers use QR codes to obfuscate and deliver phishing links. Once the QR code is scanned and the link embedded within it is clicked, the victim is led to a phishing website where they are prompted to divulge sensitive information.

Due to the growing popularity of QR codes, particularly as a way of quickly exchanging complex information (e.g. long URLs), cybercriminals have increasingly begun to use quishing as a means of compromising unsuspecting victims.

What Makes Quishing So Dangerous?

What makes quishing attacks so dangerous is a mixture of the way QR codes inherently hide URLs and also the way QR codes can be scanned in both digital and physical formats. Let's explore these dangers further:

Quishing hides URLs by design mini banner

Hides URLs By Design

QR codes, by their very design, display information in a format that's only readable by machines. To read a QR code, humans need to first scan it with a camera. Because of this, humans can't verify what they are scanning ahead of time. In addition to this, when QR codes are scanned by mobile devices and contain a URL, only a portion of the URL is displayed on the screen, further hindering efforts to determine if the URL is malicious or legitimate.

QR codes can be digital or physical mini banner

Can Be Digital Or Physical

QR codes are commonly used in both digital and physical formats. This significantly increases the attack surface for your average individual, as you can be presented with malicious QR codes while doing day-to-day physical activities, such as grocery shopping. In many cases, cybercriminals will physically print a malicious QR code and then stick it over top of a legitimate QR code, with humans having few ways to spot the real from fake without first scanning the code.

An Example Quishing Attack

In this example, we'll showcase how a cybercriminal might trick a victim into falling for a quishing attack.

  • 1

    Attacker Prints Numerous Malicious QR Code Stickers

    These QR code stickers are printed in bulk, and all lead to the same phishing website, but each URL is ever so slightly different, allowing the attacker to identify which QR code was scanned when a victim visits the phishing website.

    The attacker travels to a neighbouring city and, over the course of a day, plants these QR codes in various locations, sticking them over top of legitimate QR codes, putting up fake notices with the QR codes attached, and plastering them on job boards.

  • 2

    Victim Scans A Malicious QR Code Sticker

    After an undisclosed time, a victim scans one of the QR codes that was placed on a job board. During the scanning process, the victim sees an unusual URL, but because they've used their mobile phone, they can't see enough of the URL to say for certain whether the URL is legitimate or malicious. The victim ultimately decides to click the link that's been scanned from the QR code.

  • 3

    Victim Divulges Sensitive Information

    The victim is presented with a registration page that prompts them to create an account before they can proceed. The registration page is generic in nature and makes no direct references to who operates the page or why the information is needed. As part of the registration, the victim is prompted to enter information in a step-by-step wizard that progressively asks for more sensitive information as the registration form progresses.

    Upon completion of the registration, the victim gets a notification that someone will be in contact with them. It's at this point that the attacker has met their goal and successfully quished a victim for sensitive information.

Common Quishing Use Cases

Due to the nature of QR codes being used in both physical and digital formats and also their flexibility to contain varying types of information, there is a range of use cases where an attacker can use a QR code to try and compromise an unsuspecting victim. The most common quishing use cases are outlined below:

Malicious Website Link

Cybercriminals use digital or physically printed QR codes to embed malicious phishing website links for a range of attacks. In many cases, the end goal is to harvest a victim's credentials.

Fake Bitcoin Wallet Address

Cybercriminals use physically printed QR codes to embed fake Bitcoin wallet addresses in the hopes that a victim accidentally mistakes the fake wallet address for a real wallet address.

Fake Wi-Fi Configuration

Cybercriminals use physically printed QR codes to embed fake Wi-Fi network configurations, which mobile devices then use to automatically connect to a rogue Wi-Fi network, which in this case is controlled by the attacker, with all data being intercepted.

Malicious Mobile App Link

Cybercriminals use digital or physically printed QR codes to embed a smart link, which, when scanned and clicked, automatically detects the victim's operating system and then loads their device's native app store, with the malicious app ready for installation.

Practical Tips To Avoid Quishing Attacks

As QR codes continue to rise in popularity, it's becoming increasingly important to understand how you can detect and protect yourself against quishing attacks:

  • Question where QR codes originate from: Scanning a QR code that's directly provided by a trusted individual is very different to scanning a QR code that's in a public or unprotected location.
  • Preview scanned URLs before clicking them: Just like you would preview a URL if it was within a suspicious email, always preview the URL presented by a QR code. If in doubt, don't click the link.
  • Inspect physical QR codes for tampering: A malicious QR code may be an overlay over a legitimate QR code. Validate this by seeing if you can peel the QR code off the page or poster it's stuck to.
  • Avoid using QR codes when an alternative is available: QR codes are designed to be read by machines, not humans. This adds an inherent risk that's difficult to mitigate. By using alternatives whenever they're available, you'll help to reduce your overall risk of falling victim to a quishing attack.

Practical steps that can be taken to avoid quishing attacks

Frequently Asked Questions

What Is A QR Code?

QR codes, short for Quick Response codes, are a type of machine-readable barcode that was initially developed in 1994 for the manufacturing industry. QR codes were introduced as a way to improve the resilience and amount of information that could be stored in comparison to traditional barcodes. QR codes do this by encoding information using both horizontal and vertical space (i.e. 2-dimensions), whereas traditional barcodes would only encode information using horizontal space (i.e. 1-dimension).

What's The Difference Between Quishing Links And Phishing Links?

Quishing links involve the use of a QR code to embed a malicious URL inside of an image that can only be read by a machine. In contrast, standard phishing links are human-readable URLs that lead to phishing websites. QR codes add a layer of obfuscation that standard phishing links don't provide.