Phishing without words: how not to become a victim of a new way of stealing accounts
Attackers forge letters from various companies using images or QR codes to bypass security systems.
Researchers from the company Inky fixed the spread of new fraudulent operations, where attackers bypass mail filters from spam and phishing by sending emails without text, but with images or QR codes.
The purpose of cybercriminals is to steal the credentials of employees of various organizations. To do this, they forge emails from Microsoft or the victim’s employer, often using real professional addresses that have previously been compromised (BEC attack). In the emails, the hackers ask the recipient for help in recovering a password or activating two-factor authentication, giving the situation a sense of urgency.
Many anti-spam systems scan the text of emails for terms often associated with fraud. However, emails detected by Inky easily evade these security measures because they do not contain HTML-text.
Instead, attackers create email text inside an image attachment. Email platforms automatically display this image in the main field, misleading recipients that this is a real email. Inky counters these tactics with technology OCR (optical character recognition) that scans and extracts text from images and PDF-files, making them recognizable to other spam filters.
The emails also contain embedded QR codes that redirect victims to phishing sites that mimic Microsoft account login screens. These fake pages look convincing, and URL-addresses contain recipients’ email addresses to create a false sense of legitimacy. This is how attackers easily manage to steal the logins and passwords of their victims.
Inky found over 500 such emails directed at a wide range of organizations in the US and Australia. The victims included a flooring company, various non-profit organizations, asset management companies, consulting firms, and others. A wide target base indicates that attackers are spreading a wide net to increase their chances of success.
Users should carefully check the sender address and URLs of any pages that look like login screens, especially if the email asks for account information. And if it is possible to contact the sender through other communication channels, this will be the most effective way to confirm the origin of the letter and the intentions of the sender. Needless to say, dubious QR codes should not be scanned in principle, no matter who sends them to you.