{"id":23182,"date":"2023-10-23T17:06:13","date_gmt":"2023-10-24T01:06:13","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/23\/news-16912\/"},"modified":"2023-10-23T17:06:13","modified_gmt":"2023-10-24T01:06:13","slug":"news-16912","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/23\/news-16912\/","title":{"rendered":"Why you shouldn\u2019t scan QR codes in emails | Kaspersky official blog"},"content":{"rendered":"<p><strong>Credit to Author: Roman Dedenok| Date: Fri, 20 Oct 2023 13:00:08 +0000<\/strong><\/p>\n<p><a href=\"https:\/\/securelist.com\/qr-codes-in-phishing\/110676\/\" target=\"_blank\" rel=\"nofollow noopener\">There&#8217;ve been more and more cases<\/a> of users receiving emails seemingly from large internet companies (for example, Microsoft or its cloud service Office 365) containing QR codes. The body of these emails have a call to action: in a nutshell, scan the QR code to maintain access to your account. This post examines whether it&#8217;s worth reacting to such messages.<\/p>\n<h2>Scan the QR code, or face the inevitable<\/h2>\n<p>A typical email of this kind contains a notification saying your account password is about to expire, after which you&#8217;ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.<\/p>\n<div id=\"attachment_49399\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084257\/qr-codes-in-phishing-emails-01.jpg\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49399\" decoding=\"async\" class=\"size-full wp-image-49399\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084257\/qr-codes-in-phishing-emails-01.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1500\" height=\"960\" \/><\/a><\/p>\n<p id=\"caption-attachment-49399\" class=\"wp-caption-text\">The password must be reset by scanning the QR code<\/p>\n<\/div>\n<p>Another email could warn the recipient that their &#8220;authenticator session has expired today&#8221;. To avoid this, the user is advised to &#8220;quickly scan the QR Code below with your smartphone to re-authenticate your password security&#8221;. Otherwise access to the mailbox could be lost.<\/p>\n<div id=\"attachment_49400\" style=\"width: 1470px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084417\/qr-codes-in-phishing-emails-02.jpg\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49400\" decoding=\"async\" class=\"size-full wp-image-49400\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084417\/qr-codes-in-phishing-emails-02.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1460\" height=\"960\" \/><\/a><\/p>\n<p id=\"caption-attachment-49400\" class=\"wp-caption-text\">&#8220;Authenticator session has expired&#8221; \u2014 for a quick fix, scan the QR code<\/p>\n<\/div>\n<p>A further example: the message kindly informs the reader: &#8220;This email is from a trusted source&#8221; \u2014 we&#8217;ve already talked about <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-stamp-verified\/44907\/\" target=\"_blank\" rel=\"noopener\">why emails stamped &#8220;verified&#8221; should be treated with caution<\/a>. The thrust of the message is that &#8220;3 important emails&#8221; supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will &#8220;fix&#8221; the issue.<\/p>\n<div id=\"attachment_49401\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084752\/qr-codes-in-phishing-emails-03.jpg\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49401\" decoding=\"async\" class=\"size-full wp-image-49401\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23084752\/qr-codes-in-phishing-emails-03.jpg\" alt=\"Example of a phishing email with a QR code\" width=\"1500\" height=\"1321\" \/><\/a><\/p>\n<p id=\"caption-attachment-49401\" class=\"wp-caption-text\">Important emails can be delivered only by scanning the QR code for &#8220;validation&#8221;<\/p>\n<\/div>\n<p>Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.<\/p>\n<p>They&#8217;re also likely hoping that the recipient has heard something about authenticator apps \u2014 which do indeed use QR codes \u2014 so that their mere mention may stir some vague associations in their mind.<\/p>\n<h2>What happens if you scan the QR code in the email<\/h2>\n<p>The link in the QR code takes you to a rather convincing replica of a Microsoft login page.<\/p>\n<div id=\"attachment_49402\" style=\"width: 1510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23085324\/qr-codes-in-phishing-emails-04.jpg\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49402\" decoding=\"async\" class=\"size-full wp-image-49402\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23085324\/qr-codes-in-phishing-emails-04.jpg\" alt=\"Scanning the QR code opens a phishing site\" width=\"1500\" height=\"1340\" \/><\/a><\/p>\n<p id=\"caption-attachment-49402\" class=\"wp-caption-text\">Scanning the QR code takes you to a phishing site that steals entered credentials<\/p>\n<\/div>\n<p>Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.<\/p>\n<p>An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.<\/p>\n<p>In other words, the phishing page is located directly on the phisher&#8217;s computer and is accessible via a link through a special IPFS gateway. <a href=\"https:\/\/securelist.com\/ipfs-phishing\/109158\/\" target=\"_blank\" rel=\"nofollow noopener\">Phishers use the IPFS protocol<\/a> because it&#8217;s much easier publish and much harder to remove a phishing page than blocking a &#8220;regular&#8221; malicious website. As such, the links live longer.<\/p>\n<h2>How to guard against phishing QR codes<\/h2>\n<p>No decent authentication system will suggest scanning a QR code as your <em>only<\/em> option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you&#8217;re probably dealing with phishing. You can safely ignore and delete such an email.<\/p>\n<p>And for those times when you need to scan a QR code of an unknown source, we recommend <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\">our security solution<\/a> with its secure QR code scanner function. It will check the contents of QR codes and warn you if there&#8217;s anything bogus inside.<\/p>\n<p> <input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\" \/> <br \/><a href=\"https:\/\/www.kaspersky.com\/blog\/qr-codes-in-phishing-emails\/49388\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/20084829\/qr-codes-in-phishing-emails-feature.jpg\"\/><\/p>\n<p><strong>Credit to Author: Roman Dedenok| Date: Fri, 20 Oct 2023 13:00:08 +0000<\/strong><\/p>\n<p>Be wary of QR codes in emails \u2014 they\u2019re likely email phishing.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[11222,30371,10516,3924,18765,714,29630,10438],"class_list":["post-23182","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-email","tag-kaspersky-qr-scanner","tag-microsoft","tag-phishing","tag-qr-codes","tag-security","tag-signs-of-phishing","tag-threats"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23182"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23182\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23182"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}