As highlighted in the ASD’s recent Annual Cyber Threat Report 2023-2024, cybercriminals continue to exploit a variety of techniques to steal personal information or deploy harmful software. Some of the prevalent methods currently being used include credential stuffing, password spraying, Artificial Intelligence (AI) exploitation, session hijacking, and Quishing (QR code phishing).
Quishing is a type of phishing attack where cybercriminals deceive individuals into providing personal information or downloading malware onto their devices after scanning a malicious QR code.
The widespread adoption of QR codes has made them a convenient tool for accessing information, whether ordering from a menu at a café, viewing exhibits in a museum, or paying for parking. However, the growing trust in QR codes has created opportunities for cybercriminals to exploit this technology.
By embedding malicious URLs into QR codes, attackers can direct users to harmful websites or prompt them to download malware capable of monitoring activity, stealing sensitive data, or compromising their devices. In FY2023–24, the ASD responded to 30 quishing-related incidents targeting Australian organisations, underscoring how social engineering continues to evolve.
As QR codes are images, quishing presents additional security challenges over text-based phishing, these include:
- Limited ability by some email security tools to detect and block malicious links embedded in images.
- Hiding the link in an image, limiting your ability to check the legitimacy of the link prior to scanning the QR code.
Quishing poses a distinct security challenge for enterprise and business environments. When users receive quishing emails at their work email addresses, they may scan malicious QR codes using personal devices that are outside the organisation’s cyber security controls and monitoring systems. This lack of oversight makes it harder to prevent, detect, and track potential compromises.
- Think before you scan: Check the Australian Government’s Scamwatch website for advice on QR code scams.
- Manually navigate to payment sites: Use trusted URLs instead of scanning QR codes for online payments.
- Strengthen email security: Consult your email security provider about solutions to address image-based threats.
- Avoid app or file downloads via QR codes: Download apps only from trusted app stores or websites.
- Keep devices updated: Regularly install software updates and security patches on personal and work devices.
- Verify suspicious emails: Encourage employees to confirm the legitimacy of emails and report anything suspicious to IT security teams.
- Limit QR code interactions: Update organisational policies to discourage engaging with QR codes in emails.
- Secure your own QR codes: Use a reliable QR code generator to prevent misuse of your brand’s QR codes.
- Learn to spot scams: Familiarise yourself with scam indicators and social engineering tactics.
- Spread awareness: Educate family, friends, and colleagues about the risks associated with QR codes and how to use them safely.
QR codes are a convenient way for businesses to share information and for people to access it. However, next time you encounter a QR code, pause and think before you scan - it could protect you from a cyber threat!
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' - Russian state-sponsored hackers, identified as APT28 (also known as Fancy Bear), executed a sophisticated cyberattack on a United States company by exploiting its enterprise Wi-Fi network from a remote location. Initially, the attackers compromised an organisation in a neighboring building within Wi-Fi range of the target, using it as a relay point to access the victim's network. They obtained Wi-Fi credentials through password-spraying attacks but were initially thwarted by multi-factor authentication (MFA) protections. To circumvent this, they leveraged the compromised neighboring network to connect to the target's Wi-Fi, which did not require MFA for local connections. This novel "nearest neighbour attack" underscores the need for organisations to implement robust Wi-Fi security measures, including limiting signal range and enforcing MFA for all connections.
- Firefox and Windows Zero-Days Exploited by Russian RomCom Hackers - The Russian-based RomCom cybercrime group has been exploiting two zero-day vulnerabilities to target Firefox and Tor Browser users in Europe and North America. The first vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox's animation timeline feature, allowing code execution within the browser's sandbox; Mozilla patched this flaw on October 9, 2024. The second, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, enabling attackers to execute code outside the Firefox sandbox; Microsoft addressed this vulnerability on November 12, 2024. RomCom combined these vulnerabilities to achieve remote code execution without user interaction, requiring only that targets visit a maliciously crafted website. Notably, the attackers also focused on Tor Browser users, specifically versions 12 and 13.
- New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products - Researchers at AmberWolf have unveiled a new attack method targeting corporate VPN clients, exploiting the trust relationship between VPN clients and servers. They developed an open-source tool, NachoVPN, to demonstrate this attack against VPNs from Palo Alto Networks, SonicWall, Cisco, and Ivanti. The attack involves tricking users into connecting to a rogue VPN server, which can then exploit vulnerabilities in the VPN client to achieve remote code execution and privilege escalation. Specifically, in Palo Alto Networks' GlobalProtect VPN client, the attack targets the automatic update mechanism to install a malicious root certificate. Palo Alto Networks has addressed this issue, tracked as CVE-2024-5921, by releasing patches on November 26, 2024.
- Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign - The Matrix botnet is conducting a widespread distributed denial-of-service (DDoS) campaign by exploiting vulnerabilities and misconfigurations in Internet of Things (IoT) devices, including IP cameras, routers, and telecom equipment. The threat actor, believed to be a lone Russian individual, utilises publicly available scripts and tools to compromise devices, deploying malware such as the Mirai botnet. The attacks primarily target IP addresses in China, Japan, and the United States. The operation is also advertised as a DDoS-for-hire service via a Telegram bot named "Kraken Autobuy," offering various attack tiers for cryptocurrency payments. This campaign underscores the importance of securing IoT devices by changing default credentials, securing administrative protocols, and applying timely firmware updates to prevent such opportunistic attacks.
- Microsoft Disrupts ONNX Phishing Service, Names Its Operator - Microsoft has disrupted the ONNX phishing service, seizing 240 associated domains and publicly identifying its operator, Egyptian national Abanoub Nady, also known as MRxC0DER. Nady has been linked to the development and sale of several phishing-as-a-service platforms, including ONNX, Caffeine, and FUHRER, offering phishing kits starting at $150 per month. These services enabled large-scale phishing campaigns, facilitating credential theft and adversary-in-the-middle attacks capable of bypassing multi-factor authentication. The takedown was achieved through a civil court order in the Eastern District of Virginia, with support from the Linux Foundation, which owns the ONNX name and logo for its Open Neural Network Exchange.
