Two sentences summarizing the quishing threat and Sophos X-Ops findings. Sophos X-Ops investigated a rising threat called “quishing,” which uses QR codes in PDFs to redirect mobile users to phishing sites that capture credentials and MFA tokens. The campaigns are increasingly sophisticated, often leveraging compromised accounts, branded visuals, and redirection tricks to bypass defenses. #Quishing #ONNXStore
Keypoints
- Quishing blends QR codes with phishing techniques to deceive victims.
- Emails come with PDF attachments containing QR codes that lead to phishing sites.
- Phishing pages are designed to capture login credentials and MFA tokens.
- Quishing attacks have grown in volume and sophistication over time.
- Attackers have used compromised legitimate email accounts to send spearphishing emails.
- QR codes bypass many traditional security measures by targeting mobile devices.
- Recommendations include advanced email filtering and employee training to mitigate risk.
MITRE Techniques
- [T1566] Phishing – Spearphishing emails with PDFs containing QR codes. ‘Sending emails with malicious attachments (PDFs containing QR codes).’
- [T1003] Credential Dumping – Capturing login credentials and MFA tokens through phishing pages. ‘Capturing login credentials and MFA tokens through phishing pages.’
- [T1557] Adversary-in-The-Middle – Phishing pages intercepting user credentials and MFA tokens. ‘Using phishing pages to intercept user credentials and MFA tokens.’
Indicators of Compromise
- [URL] Google redirect – google.com, used via a cleverly formatted Google link that redirects to the phishing site.
- [File] PDF attachments – PDF documents containing QR codes used as the attack vector (and 2 more PDFs with QR codes observed in campaigns).
- [Subject] Email subjects – examples include ‘Remittance Arrived’ and ‘Employment benefits proprietary information and/or retirements plan attached’ reflecting social-engineering themes.