Cybersecurity analysts have uncovered a fresh wave of “Quishing” attacks, where cybercriminals deploy innovative QR code manipulation techniques to bypass traditional security measures. According to a new threat report from Barracuda’s Threat Analysis team, attackers are now using split and nested QR codes to disguise malicious content and trick unsuspecting users.
Quishing, a variant of phishing, involves embedding QR codes with malicious links that redirect victims to fraudulent websites. These fake portals are typically designed to harvest login credentials, financial details, or other sensitive information. The latest methods were detected in phishing-as-a-service (PhaaS) kits, including Tycoon and Gabagool, which are widely used by cybercriminal gangs.
Split QR Codes Targeting Microsoft Users
In one campaign linked to the Gabagool kit, attackers employed a split QR code tactic in fraudulent Microsoft “password reset” emails. Instead of embedding a single QR code, the attackers divided it into two distinct images placed close together. While the human eye perceives the combined image as a normal QR code, security scanners interpret it as harmless, unrelated graphics. Once scanned by a victim, however, the QR code redirects to a phishing website designed to steal Microsoft login credentials.
This approach exploits a blind spot in traditional email security systems, which often fail to recognize two separate images as one functional malicious code.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Nested QR Codes Add a Layer of Deception
Meanwhile, the Tycoon kit was observed using a nesting technique, where a malicious QR code is wrapped around a legitimate one. In this case, the inner QR code leads to Google, while the outer QR code redirects victims to a phishing site. By combining malicious and safe elements, attackers aim to confuse detection systems and increase the likelihood of user engagement.
Experts warn that these evolving tactics underscore the attractiveness of QR codes to cybercriminals. Saravan Mohankumar, Manager of Barracuda’s Threat Analysis team, stated that malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners.
To counter such threats, cybersecurity specialists recommend multilayered defences, including AI-powered email protection, multifactor authentication, and comprehensive user awareness training. Advanced multimodal AI tools are capable of decoding, inspecting, and analyzing QR codes before users interact with them, closing gaps left by traditional scanners.