Researchers from Unit 42 have identified a rise in sophisticated phishing tactics that leverage QR codes and URL redirection to compromise user credentials. These methods obscure the true destination of phishing links, making it easier for attackers to deceive victims, particularly in sectors such as medical, automotive, education, energy, and finance. Affected: medical, automotive, education, energy, financial sectors.
Keypoints :
- Growth of phishing tactics involving QR codes for credential theft.
- Attackers use URL redirection mechanisms from legitimate websites to obscure phishing links.
- Introduction of Cloudflare Turnstile for human verification to evade security checks.
- Phishing operations include multiple redirects, human verification, and credential harvesting.
- Phishing documents are often themed around enticing topics to lower user caution.
MITRE Techniques :
- T1071 – Application Layer Protocol: Attackers use legitimate applications to communicate with the phishing sites.
- T1071.001 – Application Layer Protocol: Web Protocols: Using QR codes to redirect to phishing domains through web mechanisms.
- T1071.002 – Application Layer Protocol: Email Protocols: Phishing emails lure victims into scanning QR codes.
- T1071.003 – Application Layer Protocol: Instant Messaging: Phishing attempts using messaging applications to share QR codes.
- T1110 – Brute Force: Attackers harvest credentials through phishing sites that mimic legitimate login pages.
Indicator of Compromise :
- [Hash] b6130b45131035bec8d9b0304e934f2db0ee092ccaa709c3c2e8dd93770527bb
- [Hash] e2cdd7eb0ea24c22d1e3dfea557a5a47dfdcd7c6b00b05bd5d099e0c8633ac25
- [Hash] fa38f31ed09774cfd2627bff376c27c44611b842b96f3215b0a491805d525a40
- [URL] hxxps://ebjv[.]com[.]au/filesharer
- [URL] hxxps://docuusign[.]statementquo[.]com/ey8YO?e=
Full Story: https://unit42.paloaltonetworks.com/qr-code-phishing/