Risk Actors Exploit Microsoft Sway to Host QR Code Phishing Campaigns

A brand new report from cybersecurity firm Netskope reveals particulars about assault campaigns abusing Microsoft Sway and CloudFlare Turnstile and leveraging QR codes to trick customers into offering their Microsoft Workplace credentials to the phishing platform.

These campaigns have focused victims in Asia and North America throughout a number of segments led by expertise, manufacturing, and finance.

What’s quishing?

QR codes are a handy strategy to browse web sites or entry data with out the necessity to enter any URL on a smartphone. However there’s a danger in utilizing QR codes: cybercriminals would possibly abuse them to guide victims to malicious content material.

This course of, referred to as “quishing,” includes redirecting victims to malicious web sites or prompting them to obtain dangerous content material by scanning a QR code. As soon as on the location, cybercriminals work to steal your private and monetary data. The design of QR codes makes it inconceivable for the consumer to know the place the code will direct them after scanning.

Thomas Damonneville, head of anti-phishing firm StalkPhish, informed TechRepublic that quishing “is a growing trend” that “is very easy to use and makes it harder to check if the content is legitimate.”

Quishing assaults by way of Microsoft Sway

In July 2024, Netskope Risk Labs found a 2000-fold enhance in visitors to phishing pages by way of Microsoft Sway. Nearly all of the malicious pages used QR codes.

Distinctive Microsoft Sway phishing web page. Picture: Netskope

Microsoft Sway is an internet app from Microsoft Workplace that comes free and permits customers to simply create shows or different web-based content material. The app being freed from cost makes it a beautiful goal for cybercriminals.

Within the assault campaigns uncovered by Netskope’s researcher Jan Michael Alcantara, victims are being focused with Microsoft Sway pages that result in phishing makes an attempt for Microsoft Workplace credentials.

Another example of Sway page containing malicious QR code leading to phishing URL.
An instance of Sway web page containing malicious QR code resulting in phishing URL. Picture: Netskope

Netskope’s analysis doesn’t point out how the fraudulent hyperlinks had been despatched to victims. Nonetheless, it’s doable to unfold these hyperlinks by way of e mail, social networks, SMS, or instantaneous messaging software program.

The ultimate payload appears to be like much like the official Microsoft Workplace login web page, as uncovered in a Could 2024 publication from the identical researcher.

Final payload shows a fake Microsoft Office login page.
Ultimate payload reveals a faux Microsoft Workplace login web page. Picture: Netskope

Stealthier assault utilizing CloudFlare Turnstile

CloudFlare’s Turnstile is a free software that replaces captchas, which have been exploited in reported assault campaigns. This official service permits web site homeowners to simply add the required Turnstile code to their content material, enabling customers to easily click on on a verification code as a substitute of fixing a captcha.

CloudFlare Turnstile snippet.
CloudFlare Turnstile snippet. Picture: CloudFlare

From an attacker perspective, utilizing this free software is interesting as a result of it requires customers to click on on a CloudFlare Turnstile earlier than being redirected to the phishing web page. This provides a layer of safety towards detection for the attacker, as the ultimate phishing payload is hid from on-line URL scanners.

Attacker-in-the-middle phishing approach

Conventional phishing strategies sometimes accumulate credentials earlier than displaying an error web page or redirecting the consumer to the official login web page. This method makes customers imagine they’ve entered incorrect credentials, possible leaving them unaware of the fraud.

The attacker-in-the-middle phishing approach is extra discreet. The consumer’s credentials are collected and instantly used to log into the official service. This technique, additionally referred to as clear phishing, permits the consumer to be efficiently logged after the fraudulent credential theft, making the assault much less noticeable.

Malicious QR code detection difficulties

“Nobody can read a QR code with his own eyes,” Damonneville stated. “You can only scan it with the appropriate device, a smartphone. Some links can be so long that you can’t check the whole link, if you check it … But who checks links?”

Textual content-only-based detections are additionally ineffective towards QR codes as they’re photographs. There’s additionally no widespread normal for verifying the authenticity of a QR code. Safety mechanisms akin to digital signatures for QR codes will not be generally applied, making it tough to confirm the supply or integrity of the content material.

How are you going to forestall a QR code from phishing?

Many QR code readers present a preview of the URL, although, enabling customers to see the URL earlier than scanning it. Any suspicion on the URL ought to entice the consumer to not use the QR code. Moreover:

  • QR codes resulting in actions akin to login or present data ought to increase suspicion and ought to be rigorously analyzed.
  • Safety options additionally would possibly assist, as they will detect phishing URLs. URLs ought to at all times be scanned by such a software.
  • Funds shouldn’t be accomplished by QR code except you’re assured that it’s official.

Microsoft Sway shouldn’t be the one official product that could be used by cybercriminals to host phishing pages.

“We regularly observe legitimate sites or applications being used to host quishing or phishing, including Github, Gitbooks or Google Docs, for example, on a daily basis,” Damonneville stated. “Not to mention all the URL shorteners on the market, or free hosting sites, widely used to hide a URL easily.”

This as soon as once more enforces the concept that customers’ consciousness must be raised and staff must be skilled to tell apart a suspicious URL from a official one.

Disclosure: I work for Development Micro, however the views expressed on this article are mine.

Recent articles

Researchers Warn of Privilege Escalation Dangers in Google’s Vertex AI ML Platform

Nov 15, 2024Ravie LakshmananSynthetic Intelligence / Vulnerability Cybersecurity researchers have...

How AI Is Reworking IAM and Id Safety

Lately, synthetic intelligence (AI) has begun revolutionizing Id Entry...

Vietnamese Hacker Group Deploys New PXA Stealer Focusing on Europe and Asia

Nov 15, 2024Ravie LakshmananMalware / Credential Theft A Vietnamese-speaking risk...

Excessive-Severity Flaw in PostgreSQL Permits Hackers to Exploit Surroundings Variables

Nov 15, 2024Ravie LakshmananVulnerability / Database Safety Cybersecurity researchers have...