Cybercriminals have advanced their phishing strategies by embedding malicious QR codes in PDF attachments, according to Barracuda's latest Threat Spotlight. This evolution allows them to bypass traditional detection methods, making it increasingly challenging for organisations to protect sensitive information.
Over a three-month analysis from June to September 2024, Barracuda researchers identified over 500,000 phishing emails employing this tactic. Unlike previous methods where QR codes were directly included in emails, attackers now hide them within seemingly benign PDF documents. This shift complicates detection and prevention efforts for organisations.
Known as "quishing," this form of social engineering exploits the convenience of QR codes. Victims are tricked into scanning the codes with their mobile devices, which then redirect them to malicious websites designed to harvest sensitive data, such as login credentials and financial information. The PDFs often leverage brand impersonation and a sense of urgency to encourage victims to act quickly.
Notably, 51% of these phishing attempts impersonated Microsoft, including its services like SharePoint and OneDrive, while DocuSign and Adobe were misrepresented in 31% and 15% of cases, respectively.
The structure of these attacks typically includes simple, one or two-page PDFs with a QR code and no additional links or embedded files. Attackers prompt users to scan the code to access files or sign documents, but the scan leads them to phishing sites.
These quishing attacks present unique challenges for businesses. Traditional email filters can struggle to detect them due to the absence of suspicious links or attachments. Moreover, the multi-device nature of these attacks complicates tracking; employees may receive phishing emails on one device while scanning the QR code with a less secure personal mobile device.
Kyle Blanker, Barracuda's manager of Software Engineering, noted, “Traditional email threat scanners can miss phishing content and malicious payloads if they are embedded within PDFs, which makes this an attractive tactic for attackers trying to evade detection.” He further emphasised that phishing remains a low-cost, high-reward attack vector, prompting attackers to innovate continuously.
Adam Khan, VP of Global Security Operations at Barracuda, added that organisations must implement multilayered email security. He urged, “Educating users about the risks of scanning QR codes from unknown or questionable sources is essential.” Regular updates to spam filters and enabling multi-factor authentication can significantly bolster defences against these evolving threats.