Threat Awareness – QR Code Campaign Impacts Major U.S. Energy Company

What’s Black and White and Read all Over? Many years before computers, “newspaper” was the usual punchline to this riddle, but in today’s culture the QR code is more representative. QR codes have been in use for many years – a Japanese automotive company actually patented them in 1994 – but the usage became much more widespread during the COVID-19 pandemic. QR codes have benefits, but like anything electronically/digitally useful, scammers eventually leverage them with nefarious intent. While QR codes have not historically been observed in large campaigns, based on recent observations by Cofense, malicious actors may be testing the efficacy of QR codes as a viable attack vector.

Beginning in May 2023, Cofense observed a large phishing campaign utilizing QR codes targeting the Microsoft credentials of users from a wide array of industries. The most notable target was a major Energy company based in the U.S. which experienced approximately 29% of the over 1000 emails containing malicious QR codes.

This unique 2-dimensional barcode is a quirky-looking square with no discernible markings to help a person know what it contains. QR codes, by their very nature, encourage quick action from users. These two characteristics alone make them perfect for scammers to use in phishing-style attacks. Members are encouraged to remind users of the potential risks from scanning QR codes and may find The Threat of the Malicious QR Code and How to Mitigate It shared by WaterISAC in the August 8, 2023 Security & Resilience Update useful for adding to security awareness and training. Read more at Cofense.