Phishing merchants have released a deluge of image-based junk emails that embed QR codes in their bodies to successfully evade security measures and provide a level of customization to more easily fool recipients, researchers said.
In many cases, the emails come from a compromised email address within the recipient’s organization, a tactic that creates a false sense of authenticity, according to researchers from security firm Inky. The emails that Inky detected instruct the employee to fix security issues, such as a missing two-factor authentication enrollment or to change a password, and warn of the consequences that could result if the recipient fails to do so. do. Those who take the bait and click the QR code are taken to a site that pretends to be a legitimate site used by the company, but captures passwords and sends them to the attackers.
Inky described the campaign’s approach as “spray and pray” because the threat actors behind it send the emails to as many people as possible to generate results.
There are a few things that make this campaign stand out. First, the emails contain no text. Instead, they just have an attached image file. This allows the emails to escape attention due to security measures that analyze the text-based words sent in an email. Some email programs and services automatically display attached images directly in the body, while some offer no way to suppress them. Recipients often do not notice that the image-based email contains no text.
Another distinguishing feature: the images contain a QR code that leads to the credential collection site. This can shorten the time it takes to visit the site and reduce the chances of the employee realizing something is wrong. The QR codes also cause the loaded website to pre-populate the recipient’s unique email address in the username field. This adds another false sense of assurance that the email and site are legitimate.
In an article published Friday, the Inky researchers wrote:
It is important to note that these three QR code phishing emails were not sent to just a handful of INKY customers. They were part of a “spray and pray” approach. Phishers send their emails to as many people as possible (spray) and hope (pray) that a vast majority of recipients will fall for the trick. In this case, multiple industries were attacked. Of the 545 emails listed so far, the intended victims were in the US and Australia. They include non-profit organizations, multiple asset managers, management consultants, a surveyor, flooring company and more.
It’s long been possible—not to mention good practice—for privacy-conscious folks to configure email settings to block the loading of remotely saved images. Scammers and snoops use remote images to determine if a message they sent has been opened since the recipient’s device connects to a server hosting the image. Gmail and Thunderbird don’t display attached images in the body, but Inky said other clients or services do. People using such clients or services should disable this feature if possible.
Unfortunately, it’s more problematic to block images embedded in an email. I couldn’t find a setting in Gmail to suppress the loading of embedded images. Thunderbird prevents embedded images from being displayed, but it requires reading the full plaintext mode of the message. That, in turn, breaks useful formatting.
All this leaves users with the same countermeasures that have failed them for decades now. They contain:
- Seek confirmation that a message is legitimate by contacting the sender through out-of-band means, i.e. through a channel other than email
- Take extra care when inspecting the sender’s address to make sure the email is coming from where it claims
- Click on the body of an email and see if the text can be copied and pasted. If there are no text-based words, be extra suspicious.
It’s easy for people to dismiss phishing attacks as artless and perpetuate the myth that only unwary people fall for them. In fact, studies and anecdotal evidence suggest that phishing is one of the most effective and cost-effective ways to conduct network intrusions. With 3.4 billion spam emails being sent every day, according to AGG IT Services, and one in four people reporting having clicked on a phishing email at work, Tessian says people underestimate the cost of phishing at your own risk.