quishing Piergiorgio Venuti

Quishing: the dangerous hybrid between phishing and QR code

Estimated reading time: 5 minutes

Introduction

The advent of digital technology has brought with it numerous opportunities, but also new threats to cybersecurity. Among these threats, phishing has gained notoriety as one of the most popular methods to obtain sensitive information from users. However, an evolution of this threat has emerged recently, called “quishing”. In this article, we will explore the concept of quishing in detail, comparing it to other forms of cyber attacks such as phishing, smishing and vishing, and analyzing its potential danger. Examples of quishing cases will also be presented and the possible malicious uses of this practice will be described.

What is quishing and how does it work?

Quishing, short for “QR code phishing”, is a sophisticated variant of phishing that uses QR codes to trick users into obtaining personal or financial information. While traditional phishing relies primarily on sending phishing emails, quishing uses malicious QR codes that can be present on flyers, posters, compromised websites or other forms of communication.

The functioning of quishing is based on user trust in the QR code. Users are tricked into acquiring the QR code through a deceptive action, for example through a false promotion or an apparent advantageous offer. Once the user scans the QR code with a QR code application, they are redirected to a counterfeit website that imitates a legitimate page. At this point, the user may be asked to enter their credentials, personal data or financial information, which will later be exploited by cyber criminals for malicious purposes.

Comparison between quishing, phishing, smishing and vishing

To fully understand the danger posed by quishing, it is helpful to compare it to other forms of similar cyber attacks, such as phishing, smishing, and vishing.

Phishing is a form of attack in which attackers send deceptive emails or text messages with the aim of tricking users into revealing personal or financial information. Quishing differs from traditional phishing in the use of QR codes, which adds an element of physical interaction and greater credibility to the attack.

Smishing, on the other hand, focuses on sending malicious text messages that attempt to scam users out of sensitive information. Although quishing could be considered a variant of smishing, the use of QR codes makes it a more sophisticated and difficult to recognize attack.

Finally, vishing is an attack that occurs through telephone calls, in which attackers pose as operators of financial institutions or other reliable organizations in order to obtain confidential information. Although vishing has a different attack mode than quishing, both exploit user trust and psychological manipulation to achieve their goals.

Among these forms of cyber attacks, quishing could be considered the most dangerous as it combines the psychological deception element of traditional phishing with the physical interaction provided by QR codes. This can lead to greater effectiveness in deceiving users and collecting sensitive information.

Examples of quishing cases

To better understand the scope of quishing, here are some examples of known cases of quishing attacks:

Case 1: Fake promotion of a clothing store

A user receives a flyer promoting a great discount at a popular clothing store. The flyer contains a QR code that promises to reveal further details about the offer. Unaware of the danger, the user scans the QR code with their smartphone, which redirects them to a counterfeit website that imitates the store’s official page. The website requires the user to enter their personal information, including credit card information, in order to obtain the discount. However, once the user provides such information, cyber criminals use it for fraudulent purposes, causing serious financial damage.

Case 2: Banking scam via QR code

A user receives an email apparently from their bank, stating that they need to update their account information for security reasons. The email contains a QR code that invites the user to scan to complete the update. Once the user scans the QR code, they are redirected to a counterfeit website that appears authentic. The site requires the user to enter their banking credentials, allowing criminals to gain access to the account and carry out financial fraud.

Case 3: Malicious QR codes on compromised websites

A user browses a legitimate website, but unfortunately compromised by hackers. While browsing the site, the user encounters a QR code that appears to be related to the content of the site. Curious, he scans the QR code with his smartphone, without realizing that it was inserted by the attacker. The QR code redirects him to a malicious web page that attempts to steal his personal or financial information.

Conclusions and precautions

Quishing represents a growing threat in the cybersecurity sphere. Cybercriminals exploit user trust and the widespread use of QR codes to trick people into obtaining sensitive information. To protect yourself from quishing, it is important to take some precautions:

  1. Verify the source: Before scanning a QR code, make sure you know the source it came from. Check the reliability of the issuer and look for any signs of forgery.
  2. Watch out for too-good-to-be-true offers: Be cautious about promotions and extraordinary offers, especially if they require the use of a QR code. Verify the authenticity of the offer through official channels before providing personal or financial information.
  3. Keep your software up to date: Make sure you keep your smartphone, operating system and applications up to date. Updates often include security patches that can protect you from known vulnerabilities used by attackers.
  4. Use reliable security solutions: Install antivirus and anti-malware applications on your mobile device to detect and block any threats.
  5. Education and awareness: Educate yourself and spread awareness about quishing and other forms of cyber attacks among friends, family and colleagues. Share tips and best practices to reduce the risk of falling victim to such attacks.

In conclusion, quishing represents a significant threat to cybersecurity. With the increased use of QR codes in everyday communication, it is crucial to be aware of the associated risks and take appropriate precautions to protect your personal and financial information.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 macOS Sequoia 15.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121753. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: macOS Sequoia Impact: Processing maliciously crafted […]
  • Local Privilege Escalations in needrestart November 21, 2024
    Posted by Qualys Security Advisory via Fulldisclosure on Nov 21Qualys Security Advisory LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) ======================================================================== Contents ======================================================================== Summary Background CVE-2024-48990 (and CVE-2024-48992) CVE-2024-48991 CVE-2024-10224 (and CVE-2024-11003) Mitigation Acknowledgments Timeline I got bugs...
  • APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121754. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]
  • APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121752. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]
  • APPLE-SA-11-19-2024-2 visionOS 2.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-2 visionOS 2.1.1 visionOS 2.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121755. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: Apple Vision Pro Impact: Processing maliciously crafted web […]
  • APPLE-SA-11-19-2024-1 Safari 18.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-1 Safari 18.1.1 Safari 18.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121756. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: macOS Ventura and macOS Sonoma Impact: Processing maliciously […]
  • Reflected XSS - fronsetiav1.1 November 21, 2024
    Posted by Andrey Stoykov on Nov 21# Exploit Title: Reflected XSS - fronsetiav1.1 # Date: 11/2024 # Exploit Author: Andrey Stoykov # Version: 1.1 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.html Reflected XSS #1 - "show_operations.jsp" Steps to Reproduce: 1. Visit main page of the application. 2. In the input field of "WSDL Location" […]
  • XXE OOB - fronsetiav1.1 November 21, 2024
    Posted by Andrey Stoykov on Nov 21# Exploit Title: XXE OOB - fronsetiav1.1 # Date: 11/2024 # Exploit Author: Andrey Stoykov # Version: 1.1 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-15-oob-xxe.html XXE OOB Description: - It was found that the application was vulnerable XXE (XML External Entity Injection) Steps to Reproduce: 1. Add Python3 […]
  • St. Poelten UAS | Path Traversal in Korenix JetPort 5601 November 21, 2024
    Posted by Weber Thomas via Fulldisclosure on Nov 21St. Pölten UAS 20241118-1 ------------------------------------------------------------------------------- title| Path Traversal product| Korenix JetPort 5601 vulnerable version| 1.2 fixed version| - CVE number| CVE-2024-11303 impact| High homepage| https://www.korenix.com/ found| 2024-05-24 by| P. Oberndorfer, B. Tösch, M....
  • St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro November 21, 2024
    Posted by Weber Thomas via Fulldisclosure on Nov 21St. Pölten UAS 20241118-0 ------------------------------------------------------------------------------- title| Multiple Stored Cross-Site Scripting product| SEH utnserver Pro vulnerable version| 20.1.22 fixed version| 20.1.35 CVE number| CVE-2024-11304 impact| High homepage| https://www.seh-technology.com/ found| 2024-05-24 by| P....

Customers

Newsletter

{subscription_form_1}