In May 2023, Cofense researchers observed a large phishing campaign that used QR codes to harvest Microsoft credentials across multiple industries. The energy sector was a notable target, with Bing redirect URLs and domains such as krxd.com and cf-ipfs.com involved to hide malicious content. #Cofense #QRcodes
Keypoints
- The campaign began in May 2023 and leveraged QR codes to steal Microsoft credentials across various industries.
- The energy sector was a major target, accounting for about 29% of the emails with malicious QR codes.
- Links in the phishing messages relied on Bing redirect URLs; other notable domains included krxd.com and cf-ipfs.com.
- QR codes provide an advantage by hiding the malicious link inside the image, making it harder for anti-phishing solutions to detect.
- Campaign growth was rapid, with month-to-month growth greater than 270% and an overall increase of over 2,400% since May 2023.
- Phishing lures focused on account security topics (2FA/MFA) and urged action within 2β3 days, prompting recipients to scan the QR code.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Attachment β The phishing messages used in this campaign include a PNG image or PDF attachments featuring a QR code. βThe phishing messages used in this campaign include a PNG image or PDF attachments featuring a QR code.β
- [T1566.001] Phishing: Spearphishing Link β The use of QR codes has several advantages over a phishing link embedded directly in an email, the most important one is the ability to bypass anti-phishing solutions because the phishing links are hidden inside the QR image. βThe use of QR codes has several advantages over a phishing link embedded directly in an email, the most important one is the ability to bypass anti-phishing solutions because the phishing links are hidden inside the QR image.β
- [T1204] User Execution β The content of the message attempt to trick the recipient into scanning the code to verify their account. βThe content of the message attempt to trick the recipient into scanning the code to verify their account.β
Indicators of Compromise
- [Domain] Bing redirect URLs β bing.com (used to host or redirect to malicious content)
- [Domain] krxd.com β krxd.com (associated with the Salesforce application)
- [Domain] cf-ipfs.com β cf-ipfs.com (Cloudflareβs Web3 services)
- [File] PNG attachments β PNG image attachments featuring a QR code
- [File] PDF attachments β PDF attachments featuring a QR code
Read more: https://securityaffairs.com/149567/hacking/phishing-campaign-qr-codes.html?amp=1