loader gif

New phishing campaign bypasses security controls by abusing QR codes to redirect victims

New phishing campaign bypasses security controls by abusing QR codes to redirect victims
  • The emails have a subject line similar to ‘Review Important Document’ and the message prompts users to ‘Scan Bar code to view the document’.
  • Upon login, users are removed from the security of their computers allowing attackers to scan the QR and evade security controls such as protection services, secure email gateways, sandboxes, or web content filters.

Researchers from Cofense observed a new phishing campaign that abuses QR codes to redirect users to phishing pages bypassing security controls that blocks suspicious or blacklisted domains.

How does it work?

  • The phishing emails are disguised as a SharePoint email with a document.
  • The emails have a subject line similar to ‘Review Important Document’ and the message prompts users to ‘Scan Bar code to view the document’.
  • The emails also included a GIF image containing the QR code which would redirect users to a fake Sharepoint page hxxps://digitizeyourart.whitmers[.]com/wp-content/plugins/wp-college/Sharepoint/sharepoint/index.php.
  • The phishing Sharepoint page urges users to log in to view the document.
  • Upon login, users are removed from the security of their computers allowing attackers to scan the QR and evade security controls such as protection services, secure email gateways, sandboxes, or web content filters.

Worth noting

Researchers noted that most of the smartphone QR code scanner apps instantly redirect users to the malicious website via the phone’s native browser.

“Though the user may now be using their personal device to access the phish, they are still in the “corporate” mindset as the original email was received at their business email address. Therefore, it is highly likely that the victim would input their corporate account credentials to attempt to access this document,” researchers said in a blog.

loader gif