Cybercriminals use emails and messages pretending to be from big tech companies including Microsoft and its cloud services Office 365 to distribute QR codes. When scanned, these QR codes take users to a convincing replica of login pages of online accounts. Credentials entered in these pages are collected by threat actors to be sold on the dark web or used to launch further attacks including to hijack users accounts, launching ransomware attacks and expanding the number of victims.
ADVERTISEMENT
Leveraging the threat of expiring credentials
Cybercriminals typically share emails with a notification saying the user account password is about to expire, after which the user will lose access to their mailbox and that the password must be changed by scanning the QR code in the email and following the instructions.
“Authenticator session has expired today” is another hook used by threat actors to get users to scan QR codes. Usually, the QR codes come with the promise of re-authenticating password security to lure unsuspecting users into scanning them.
ADVERTISEMENT
Cybercriminals also make use of “verified” stamp in the email that is used by scammers to persuade users to clock a link or open a file. And while the stamp may not be enough to fool users well versed with emails, it has been known to been used by cybercriminals.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
When users scan the QR codes, they are redirected to a convincing looking replica of log in pages. Threat actors are also known to make use of Inter Planetary File System (IPFS) resources which is a communication protocol for sharing files similar to torrents. The protocol allows for publishing files on the internet without domain registration, hosting, or other complications, Kaspersky shared in a blog post.
The protocol is used by scammers because it is much easier to publish and much harder to remove a phishing page than blocking a “regular” malicious website.
How to guard against phishing attack using QR codes
Users should not scan QR codes from untrusted sources. Users should also keep in mind that no authentication system will provide QR codes as the only method to authenticate passwords for continued access to user accounts. Therefore, emails asking you to confirm something or sign into an existing account or reset password and QR codes as the only method to do so should be ignored or reported as spam.