Quishing – The dangerous QR codes of the scammers

M.Sc. Chris Wojzechowski

Quishing – The dangerous QR codes of the scammers

The corona pandemic is a veritable goldmine for scammers and phishers, with testing centers emailing test results and registration requests, vaccination appointments being confirmed online, and follow-ups being filled out online. A new scam has developed here – Quishing, phishing via QR codes. Why did this method emerge and how popular is it?

How does Quishing work?

Quishing uses a QR code that contains a malicious link. This link can additionally be obfuscated with a URL shortener. The methods of disguise here are no different from classic phishing via e-mails. In contrast to this, however, the QR code is usually printed, because sending it by e-mail or to cell phones is not particularly plausible.

This results in a major disadvantage of quishing compared to phishing: the number of potential victims is significantly smaller. If you consider the effort of printing and distributing the codes with the number of people reached, phishing beats quishing by a long way here.

However, criminals are not prevented from incurring these expenses. In the States (Texas), tampered QR codes were discovered on parking station. The website links to a page that is not from an official source. It is not clear from the official statement whether an existing QR code was pasted over or the functionality was faked by criminals.

We have become accustomed to QR codes

The digital vaccination record, contact tracing, check-ins – QR codes have entered our lives more clearly than ever as a result of the corona pandemic. The fact that you have to register to visit a restaurant is no longer unusual, depending on the given restrictions regarding corona. Even in the current situation where registration is no longer required to visit a restaurant, most are used to QR codes and how they work.

If the QR code is placed in a plausible place and in a logical context, it looks serious and more trustworthy than an email. These advantages are the reason for the emergence and use of quishing among fraudsters. A smaller number of casualties can be expected, but the amount of damage is unpredictable and depends on the context.

The protection against quishing

A core element in the protection against quishing is the QR code scanner used. Many apps display a preview of the embedded code:

  • Apple has implemented a QR code scanner out-of-the-box.
  • For Android devices exist several approaches. Depending on the phone brand a code scanner may need to be downloaded manually from the Play Store.

We strongly recommend that you pay attention to the preview function when installing a QR code scanner. Since quishing differs mainly by the communication medium but has the same goal as phishing, this aspect can be captured and trained by new training methods such as running a phishing simulation. Here it is conceivable that codes are distributed as flyers in the company under investigation, placed in rooms or other meaningful places.

The researchers Sharevski et. al. from DePaul University in the USA have published an interesting paper on this subject,”Gone Quishing: A Field Study of Phishing with Malicious QR Codes“. It can be viewed free of charge at arxiv.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.