New defense tools from Abnormal Security defend against seemingly harmless QR codes

The innocuous black-and-white Quick Response (QR) codes pervasive across retailers, airports, bars, hotels (and more) are the threat surfaces no one talks about. But attackers see them as the perfect Trojan Horse for hijacking phones and stealing digital identities. 

Threat actors are cashing in on people’s trust by creating and distributing QR codes that deliver malware, attempt account takeovers and unleash phishing attempts to steal identities. Combining social engineering with QR codes that can be created in a second, attackers are able to open victims’ bank accounts and drain them dry, install malware, penetrate entire corporate networks and more.  

Abnormal Security, a leading provider of AI-native cloud email security platforms, hopes to break that cycle with a launch today of enhanced capabilities that detect QR codes in emails.

“As threat actors continue to innovate, QR code attacks are on the rise, partly because they tend to work better than more traditional attack types,” said Mike Britton, CISO at Abnormal Security. “They can be difficult to detect because, unlike traditional email attacks, there’s minimal text content and no obvious URL. This significantly reduces the number of signals available for traditional security tools to analyze.”

Trust and convenience make QR codes an easy target

QR codes’ popularity continues to soar as the pandemic spurred their rapid growth and new uses emerge that further drive adoption and trust. Instagram, Facebook, X (the platform known previously as Twitter) and many other social media platforms have offered users the option of creating their own QR codes to share their profiles with friends. Combining that convenience and trust is a winning combination for social media platform providers, leading to more traffic and greater ad revenue.

A sure sign of how dominant QR codes have become is their emergence on the dark web and Telegram channels, where hackers offer instructional videos on launching attacks with them. Criminal gangs offering ransomware-as-a-service on the dark web mention QR code hijacking to get the fastest clicks, suggesting that attackers embed them in emails and on hijacked websites. 

Attackers are quick to capitalize on that trust. More than three-quarters (83%) of consumers have used QR codes on their phones to make bill payments and 80% of QR code users in the U.S. believe that they are safe. Another 64% say that using QR codes is more convenient for the many touchless transactions they do every day, a practice that largely started during the pandemic. Ivanti found that 71% of users can’t distinguish between a legitimate or malicious QR code and 17% have been redirected to suspicious sites they didn’t intend to visit.

Only scan QR codes from a known source

Proving how powerful trust is as an accelerator, QR code use is projected to increase by 43.2% between 2022 and this year. In 2023, approximately 331.4 million QR codes are expected to be redeemed. Every month, 40,000 new QR codes are created on average. Their convenience and familiarity make QR codes appear harmless, but attackers are becoming more creative in fine-tuning their tradecraft to make the most of this fast-growing attack vector.

“QR codes should only be scanned if they are from a trusted source,” writes Chris Goettl, VP of product management at Ivanti. “Hackers can easily substitute legitimate QR codes with malicious ones. Because they aren’t human readable, cybercriminals can exploit them by generating their own QR codes with embedded malicious software.”

Goettl cautioned that, “they can also direct users to phishing sites without being detected. Simply put, hackers can use QR codes to illicitly obtain information, hijack accounts and steal identities and data.”

QR Codes are the primary attack vector in 17% of all advanced attacks

Abnormal Security recently found that QR codes are the primary attack vector in 17% of all advanced attacks targeting customer environments. Abnormal is seeing a rise in CR code-based attacks aimed at credential phishing, extortion and invoice payment fraud attacks. QR code-based attacks have increased 400% in the past year as attackers expand their tradecraft to capitalize on widespread trust.

A more troubling trend is also emerging: Attackers are crafting emails to deliver malicious QR codes, linking to apparently legitimate websites (including Google or Microsoft), then prompting users to enter their login, password and privileged access credential information. 

Abnormal also notes a significant rise in phishing emails that impersonate trusted entities — including banks, delivery services and government agencies — using social engineering techniques to lure victims into scanning QR codes. Once victims scan, they are redirected to malicious websites that steal their credentials or infect their devices with malware^. Attackers are focused on harvesting as many identities and privileged access credentials to banks, financial institutions and confidential corporate networks for those working in an enterprise. 

Protecting against QR code attacks takes a multilayer strategy 

CISOs tell VentureBeat that QR codes have proven to be such a threat that it’s necessary to take a multi-layered approach to protect against them. Combining unified endpoint management (UEM) and AI-based platforms that can identify typical email patterns to establish a baseline of normal behavior, CISOs are building multiple barriers to prevent the onslaught of QR code-based intrusion attacks. 

Abnormal Security’s new capabilities can parse corresponding links, targeting the attack path most often used to deliver malicious codes into an enterprise. The AI platform takes signals extracted from parsing and combines them with Abnormal’s behavioral analysis across the broader email environment, strengthening an enterprise’s ability to detect and block malicious activity. 

Abnormal’s approach is noteworthy because their AI-driven platform builds an adaptable model of each user’s typical email patterns to establish a baseline of normal behavior. This allows it to detect anomalies in emails containing QR codes, including unfamiliar sender addresses or unusual formatting. Abnormal Security also analyzes QR codes, extracting signals from the format, embedded URL links and hosting domains.

Unified Endpoint Management is table stakes

CISOs tell VentureBeat that UEM is table stakes for containing QR code risks and attack strategies with comparable tradecrafts. IBM, Ivanti and VMWare are the most-mentioned UEM providers by CISOs who acknowledge that QR code attacks are on their radar, and they’re using endpoint management to counter the risks.

Ivanti is noteworthy for its approach of combining UEM with passwordless multi-factor authentication (Zero Sign-On) and mobile threat defense (MTD). VentureBeat has learned that its customers can validate security to the device level, establish user context, verify the network and detect and remediate threats to ensure that only authorized users, devices, apps and services can access business resources.

Stopping QR code attacks where they happen is the goal

The CISO of an insurance and financial services firm recently told VentureBeat that QR code risks to their infrastructure are everywhere, which is why having a UEM strategy is essential. She said that scans happen when employees travel, attend meetings in customer and supplier offices and when they commute. In-the-wild attacks make UEM critical to shutting down a QR code attack. 

Abnormal Security’s new capabilities further strengthen CISOs’ defenses against QR code attacks. Shutting down email attack strategies helps protect one threat surface, while UEM helps provide layered protection against a QR code on any device. With digital identities being best-sellers on the dark web, CISOs know QR codes are a real threat they must contain.