Cyber threat actors have, once again, demonstrated their diabolic innovation, launching an attack using the old phishing email, but bringing in a QR Code to deceive security systems that have learned to find traditional phishing messages.
Published by the Trellix Advanced Research Center (ARC) in October, Peeling off QR Code Phishing Onion: Revealing the Hidden Layers of Deceit, is a voluminous analysis of this modern take on this simple, yet effective credential thief.
“The country’s development, strategic relevance and future prospects have always made South Africa and organisations of all sizes within its borders increasingly attractive to hacking groups over the years,” says Carlo Bolzonello, country lead at Trellix South Africa. “Syndicates – many allegedly sponsored by world governments – are increasing their efforts in attacking South African systems, with Government organisations now the most targeted group.
A simple, yet effective tool, phishing messages will plunge an unsuspecting user into a state of urgency and action. Masked under the guise of a helpful person or programme, the phishing email draws users in to click on unsafe links that mimic authentic sites,” says Bolzonello.
Recent QR Code campaigns
The Trellix Advanced Research Center recently detected an attack campaign with an acute spike of phishing emails and another campaign that has been steadily progressing since early 2022, with a slight variation in its TTPs (tactic, techniques and procedures).
In two large-scale, global campaigns, cybercriminals used QR codes as their primary mechanism to evade detection from email security products.
Phishing emails in both campaigns were mostly devoid of text URLs, which makes most email security products ineffective, as they rely on readable text and URLs for detection.
The use of QR codes for phishing is not new, but there is more to these campaigns. Analysis of these campaigns revealed that malicious actors not only use QR codes as a primary means of defence but also layered evasion tactics to make these campaigns hard to detect.
The full blog article focused on layered evasion techniques used to evade detections by security products. It also shows targeted regions and discusses additional evasion methods that may be potentially used by attackers.
Detailing the 2023 Microsoft Account phishing campaign, as well as the 2022 Fake Chinese subsidy, the report provides an in-depth review of the tools used, including snippets of developer code and examples of the user journey of a typical target.
The Microsoft Account campaign was found to be widespread, affecting sectors like fuel and energy, finance and banking, telecommunications, IT and software, healthcare, transport, and manufacturing.
Qatar, Denmark, Sweden, Australia, South Africa, Abu Dhabi, Pakistan, India, Singapore and China were affected by the Microsoft QR Code phishing campaign.
Bypassing Text
Since most email security products act upon an email body comprised of only text and URL for detection, malicious actors overcame this hurdle by solely using images in the email body. These emails convey that the user needs to use a mobile phone to scan the QR code and proceed further.
The first variant of this campaign contained text and QR code images embedded directly within the email body, and the other variant encountered had a PDF attachment containing a QR code.
Methods of Evasion Used by the Malicious Actor
The evasion techniques used by different campaigns vary in complexity and sophistication. Some campaigns employ multiple layers of evasion, while others rely on one. The Trellix Advanced Research Centre observed various common patterns of evasion that these malicious campaigns use to evade detection and analysis, including:
- The creation of multiple sub-domains corresponding to the targeted entities.
- Redirection of the Call to Action (CTA) URL, with observed QR codes primarily use redirection from a legitimate domain.
- QR code URLs that leverage Cloudflare anti-bot features – this implementation of Cloudflare is provided for free after signing up and threat actors abuse this.
- Captcha Evasion – The URLs can employ another layer of evasion by using a Click Captcha mechanism. This makes it difficult for detection engines to scan the URL, as they require a user interaction. The captcha does not have to be a genuine one; it is only a means of evading automated analysis.
In the equally damaging Fake Chinese subsidy campaign, first tracked in early 2022, the QR code is either embedded in the email body or is present in a document attachment. Once the QR code is scanned by the user, they are redirected to a “China UnionPay” credit card phishing site. The attacker uses many evasion techniques while redirecting the user to the phishing site as a layered defence.
The Fake Chinese subsidy phishing campaign affected mainland China, Republic of Korea, Hong Kong, Japan, the United States, Germany, Switzerland, Australia, Italy, the United Kingdom and Saudi Arabia.
“What is so alarming about this evolution of the well-known phishing message is that it uses an elaborate layer of evasive methods, bypassing most email security products,” Bolzonello says. “Threat actors are evolving their techniques, tactics and procedures, now changing file structures, then adding random JavaScript file names, making detection through URL and network detection more difficult.”
Cybercriminals have undergone a significant shift in recent years. Data and information are becoming more lucrative than ever, and hacking groups have transformed into corporations with employees.
They are much more organised, well-resourced, and often with state access, and organisations must likewise seek innovation in their cybersecurity tools.
Through the expansive and integrative, Trellix Advanced Research Centre, organisations receive actionable insights for a highly responsive security strategy in real-time.
A powerful intelligence asset, Trellix XDR is designed based on the native and open Trellix system architecture, allowing it to integrate with third-party data sources.
Rather than relying on a single data source, XDR analyses data from 650 security tools, empowering organisations with enhanced visibility and control.
