I knew it was inevitable. It has finally happened. I’ve spotted two phish using QR codes in the wild. Why is this worse than phish using normal links? Because for people trying to protect an enterprise environment, a link that is essentially only usable on a mobile device not connected to the enterprise network means we cannot prevent our users from “clicking the link” on their cell phones.
Yes, with a regular email, if they click a link and get blocked they can forward the email to their personal email address and get around our filters. But at least then, we’d be aware they sent the email to an external address. In addition, many email security products rewrite URLs so initial clicks go to the security vendor, which then decides whether or not to redirect the click to the final destination. With QR codes, all a user has to do is point their cell phone at their computer screen and the malicious URL is visited virtually automatically, and we have no idea they did it.
Note: I’ve munged the codes in these screenshots so no one will accidentally be sent to the malicious URLs.
The first one encountered looks like an MFA upgrade prompt from Microsoft. It’s not horribly convincing but could catch some unwary users.
The second one encountered is much more convincing, claiming to send needed files. An interesting addition is the “OneNote” logo in the center of the QR code.
–Matt