There are a number of factors to consider that can impact resilience to quishing attacks, including “keeping tight controls around URL shortening and redirects happening from their domain,” says Mathew Woodyward, principal threat intelligence researcher at Okta. Companies should be “paying attention to what QR codes they put out into the wild and ask themselves, ‘How could someone abuse this link?” he says.
You can be assured that attackers will use AI to generate convincing quishing emails. This is a case of fighting fire with fire. As Barracuda’s Klevchuk says, “The use of AI and image recognition technology is useful in detecting these attacks. AI-based detection will also look for other signals that can be a sign of a malicious presence, such as senders, image size, content, and placement in a to determine malicious intent.”
Machine learning detection is important because it is able to form a broader picture of a given artifact and make predictions about whether it’s malicious or not beyond what a person might be able to foresee. AI can form a general picture of an event and make determinations based on real-world learning.
Red teaming attack simulations and penetration testing
There’s no way to know how you are doing without testing. An organization should be running simulated attacks to explore the response of its employees, technology, and security team. Including QR codes in those simulations is an important step. This type of simulation can also help discover how well the organization responds to a breach, especially with regard to compromised account detection and lockout.
Woodward echoes this: “Cybersecurity should be deploying tight controls to prevent account takeovers after login,” says Woodward, “monitoring active credential stuffing attempts and stopping them at the identity-level using breached password detection.”
The role of multifactor authentication
Multifactor authentication can help mitigate the effects of a successful QR code attack by limiting the damage of compromised credentials. Interestingly, QR code phishing emails are often disguised as multifactor verification emails, a point to keep in mind when alerting employees and also when designing such legitimate verification notices.
The idea is a simple one. QR codes can be embedded in a variety of ways to encode scannable information, in the case of hackers, usually a phishing URL or a malware download. By automatically triggering the effect, QR codes can reduce the amount of thought a user puts into using them. QR codes offer a low-effort “improvement” for attackers, a kind of asymmetrical warfare.
Although many quishing campaigns have been targeted at consumers so far, we know from experience that it will spread to enterprise and government targets, something we are already seeing.