Security researchers noticed fraudsters incorporating QR codes into various phishing attack campaigns as a way to evade URL analysis.

Cofense observed that the phishing campaigns used simple emails to evade URL analysis from respected security solutions. Overall, the body of the messages used just a few basic HTML elements and an embedded GIF of a QR code to set up an effective disguise as a SharePoint email. With this mask in place, the attack messages instructed recipients to scan the QR code to review an important document.

If they complied, the QR code redirected the recipients to a phishing website located at hxxps://digitizeyourart[.]whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index[.]php via their smartphone’s browser. In so doing, the campaign moved the phishing attack away from the corporate business network, not to mention whatever URL analysis tools might be in place, and onto a user’s mobile device. The site then instructed recipients to sign in to their AOL, Microsoft or “Other” account so the phishers could make off with their login credentials.

QR Codes and Other Clever Phishing Tactics

QR codes have been used for malicious purposes before. Back in 2012, for instance, The Register reported a surge of activity in which threat actors printed out stickers displaying QR codes that pointed to malicious websites. These individuals then placed these stickers over legitimate QR codes deployed in well-trafficked areas such as airports and city centers.

In 2016, Vade Secure came across a phishing campaign leveraging QR codes. This operation ultimately redirected users who scanned the embedded QR codes to a compromised WordPress website. There, they received instructions to fill out a form by entering their login credentials.

Supplementing URL Analysis for Email Defense

Security professionals can help supplement URL analysis and thereby boost their organization’s email defenses by conducting test phishing engagements to empower each and every employee in defending the corporate network. Approaches such as ahead-of-threat detection can also help block potentially malicious domains, including those leveraged in phishing attacks, before they become active.