Quishing, a phishing variant using malicious QR codes, deceives users into opening fake websites and sharing sensitive data, often succeeding because scans occur on mobile devices outside the security perimeter of organizational networks
Cybersecurity researchers at Barracuda have identified two new methods cybercriminals are using to disguise malicious QR codes in phishing campaigns, raising concerns over the growing threat of so-called “quishing” attacks.
Innovative techniques: Split and Nested QR codes
According to Barracuda’s threat intelligence team, attackers are increasingly leveraging phishing-as-a-service (PhaaS) kits such as Gabagool and Tycoon to deploy advanced QR code tricks.
In one tactic, dubbed the “split QR code,” malicious actors divide a single QR code into two images and place them side by side within a phishing email. While the image appears normal to the recipient, email security tools detect only harmless fragments. Victims who scan the combined image are redirected to fraudulent sites designed to capture login credentials.
The second approach, called “nested QR code,” involves placing a harmful QR code inside or around a legitimate one. For instance, Barracuda researchers observed Tycoon attackers embedding a malicious outer code that leads to a phishing domain, while the inner code pointed to Google. This layered method makes it difficult for automated systems to identify the true destination, further enhancing the deception.
Rising quishing risks and defense measures
Quishing, a variant of phishing, involves embedding QR codes that link to fake websites, tricking victims into revealing sensitive data. These attacks often succeed because users must scan the codes on mobile devices, which are typically outside an organization’s protected network.
“Malicious QR codes are popular with attackers because they appear trustworthy and can bypass conventional defenses such as email filters and URL scanners,” explained Saravan Mohankumar, Manager of Threat Analysis at Barracuda. “Attackers will continue innovating to outpace security systems, making AI-powered protection critical.”
To combat these threats, experts recommend multi-layered defenses, including security awareness training, multi-factor authentication, and advanced email filtering. Barracuda also highlights the role of multimodal AI technology, which can analyze, decode, and inspect QR codes without requiring manual extraction of their embedded content.
As phishing toolkits evolve, the findings underline the urgent need for enterprises to strengthen defenses and remain vigilant against increasingly sophisticated QR-based attacks.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
