QR Code Phishing
Jun. 17, 2024
Key Points
- Approximately 70, 000 messages were observed abusing QR codes embedded into attachments impersonating Docusign and other cloud services
- QR codes help attackers bypass corporate security through the usage of personal devices.
- The primary intent was to steal credentials of recipients most likely to sell for profit.
There is an ongoing phishing campaign using QR codes embedded in pdf documents attached to emails. The pdfs are impersonating legitimate services such as DocuSign, and frequently the victim’s organisation name is used in the subject or within the document to add legitimacy. The usage of QR codes via email seen by Mimecast often exceeds 3.5 million daily, highlighting how prevalent this attack type can potentially become. For this campaign between April 1st and June 5th, 2024 there have been over 70,000 detections.
Note: QR replaced with QR leading to google for safety.
Targets:
Global, All Sectors
IOCs:
Sender domain:
farmasocio[.]com
Sender email address:
{victimdomain}@ farmasocio[.]com
support@farmasocio[.]com
Subject Lines:
Multiple variations exist
- Document for eSignature: Please Review & Sign Your Application For Payment of ATO-held Superannuation Funds (Tax Return Statement 2023)
- Response Required: Document(s) for eSignature: Please Review & Sign Your Application For Payment of HMRC-held Superannuation Funds - Tax Return Statement 2023
File names:
Multiple variations exist
- Disposition-Notification.pdf
- Supermatum Funds Revised HMRC Settlement Statement.pdf
Sha 256 of attachment:
Multiple variations exist
- C6a589ac4cd20896ab1ab308e3e80f8fea21fb51fdbd05dc1cf8c35b1bb65edc
- 1dd8d125e6d2771816a13813f2c0c96908f8b145092709cd2eaf91fea9a6c167
