A Large QR Code Phishing Campaigns Favor Energy Companies

Category: Threat Actor Activity | Industry: Global | Source: Cofense

Since May 2023, a substantial phishing campaign has been under observation, exhibiting a particular focus targeting the energy sector, including an unnamed US energy company, accounting for 29% of over 1000 emails. Cofense has been closely monitoring this campaign and reported in their finding that other top targets include the "Manufacturing, Insurance, Technology, and Financial Services seeing 15%, 9%, 7%, and 6% of the campaign traffic respectively." From May, the volume of email distribution spiked between June and July, with "June being the biggest jump of around 500% and around 155% from June to July." The objective of the campaign is to harvest user credentials, and the emails attempt to lure victims by posing as a Microsoft time-sensitive security alert to enable multi-factor authentication.

Attackers are showing a growing preference for QR codes, as they offer an alternative avenue to attempt to evade security controls compared to traditional phishing methods involving links or attachments. Scanning a QR code also introduces the possibility that users might interact with devices outside the organization's security controls, potentially circumventing established security measures. Adding a layer of evasion, trusted domains are abused in the campaign with redirect URLs incorporating domains from Bing, Salesforce, and Cloudflare. "Bing redirect URLs shared the largest portion of the campaign, comprising 26% of the overall campaign phishing links used in the QR Codes, followed by the Salesforce application URL taking 15%," as uncovered by Cofense. Phishing links within the QR code are also base64 encoded in an effort to bypass security measures.