Summary:
Beginning in late 2024, Unit 42 researchers have noticed a shift in QR code phishing tactics. Attackers are employing strategies such as hiding the final malicious website destination by leveraging the redirection mechanisms of legitimate sites and other phishing tactics. Palo Alto Networks found evidence that suggests some of these phishing sites are tailored to specific individuals, indicating prior information gathering. Phishing attacks have evolved from using traditional links or buttons in malicious documents. Attackers are increasingly hiding phishing URLs within QR codes, a method called QR code phishing or quishing. Telemetry from Palo Alto indicates that these attacks have become common in both the U.S. and Europe, affecting a wide range of sectors, such as healthcare, automotive, education, energy, and finance. Often, these QR code phishing attempts are designed to mimic electronic signature documents from platforms like DocuSign or Adobe Acrobat Sign. These are entirely generated by the threat actors, not by legitimate services. Attackers utilize enticing topics and frequently incorporate company logos, HR email addresses, or dates into their phishing documents to make them appear like genuine official communications, hoping to reduce users' suspicion. To make their attacks even more convincing, attackers insert nonsensical or arbitrary text within the Google redirect URL. The adversaries frequently employ URL redirection techniques or exploit open redirects on legitimate websites, allowing them to conceal the true destination of the phishing link and avoid detection by security crawlers. The final stage of these attacks is credential harvesting, where attackers gather login details or sensitive data that victims enter on fake login pages, which often imitate services like Microsoft 365 or display the victim company’s logo.

Security Officer Comments:
Attackers are increasingly employing sophisticated techniques like Cloudflare Turnstile to conceal the final malicious destination by exploiting redirection mechanisms on legitimate websites and incorporating human verification checks that require no direct user interaction. These tactics help them evade detection by security crawlers and managed detection solutions. Palo Alto Networks uncovered evidence suggesting that some of these phishing sites are specifically tailored to individuals, indicating prior reconnaissance and information gathering was conducted by a calculated adversary. Additionally, the fact that fake login pages have the capability to reject wrong logins and show errors implies the spearphishing nature of these attacks and their customization, further emphasizing that they are tailored to maximize their success rate against specific individuals or organizations. Telemetry data from Palo Alto Networks indicates that these attacks have become widespread across both the U.S. and Europe, impacting a diverse range of sectors and emphasizing the severity of the activity. A common lure utilized in these attacks involves mimicking electronic signature requests from platforms like DocuSign or Adobe Acrobat Sign, with the fake phishing documents entirely generated by the attackers. To enhance the deception, attackers use enticing subjects and often incorporate company logos, HR email addresses, and dates to create the illusion of genuine official communication, thereby lowering user suspicion. The adversary makes a noticeable effort to further obfuscate their tactics by including nonsensical text within Google redirect URLs. This evolution in phishing tactics highlights the need for user awareness training and advanced security solutions capable of detecting and blocking similar quishing threats.

Suggested Corrections:
IOCs:
https://unit42.paloaltonetworks.com/qr-code-phishing/

Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):
https://unit42.paloaltonetworks.com/qr-code-phishing/