quishing Piergiorgio Venuti

Quishing: the dangerous hybrid between phishing and QR code

Estimated reading time: 5 minutes

Introduction

The advent of digital technology has brought with it numerous opportunities, but also new threats to cybersecurity. Among these threats, phishing has gained notoriety as one of the most popular methods to obtain sensitive information from users. However, an evolution of this threat has emerged recently, called “quishing”. In this article, we will explore the concept of quishing in detail, comparing it to other forms of cyber attacks such as phishing, smishing and vishing, and analyzing its potential danger. Examples of quishing cases will also be presented and the possible malicious uses of this practice will be described.

What is quishing and how does it work?

Quishing, short for “QR code phishing”, is a sophisticated variant of phishing that uses QR codes to trick users into obtaining personal or financial information. While traditional phishing relies primarily on sending phishing emails, quishing uses malicious QR codes that can be present on flyers, posters, compromised websites or other forms of communication.

The functioning of quishing is based on user trust in the QR code. Users are tricked into acquiring the QR code through a deceptive action, for example through a false promotion or an apparent advantageous offer. Once the user scans the QR code with a QR code application, they are redirected to a counterfeit website that imitates a legitimate page. At this point, the user may be asked to enter their credentials, personal data or financial information, which will later be exploited by cyber criminals for malicious purposes.

Comparison between quishing, phishing, smishing and vishing

To fully understand the danger posed by quishing, it is helpful to compare it to other forms of similar cyber attacks, such as phishing, smishing, and vishing.

Phishing is a form of attack in which attackers send deceptive emails or text messages with the aim of tricking users into revealing personal or financial information. Quishing differs from traditional phishing in the use of QR codes, which adds an element of physical interaction and greater credibility to the attack.

Smishing, on the other hand, focuses on sending malicious text messages that attempt to scam users out of sensitive information. Although quishing could be considered a variant of smishing, the use of QR codes makes it a more sophisticated and difficult to recognize attack.

Finally, vishing is an attack that occurs through telephone calls, in which attackers pose as operators of financial institutions or other reliable organizations in order to obtain confidential information. Although vishing has a different attack mode than quishing, both exploit user trust and psychological manipulation to achieve their goals.

Among these forms of cyber attacks, quishing could be considered the most dangerous as it combines the psychological deception element of traditional phishing with the physical interaction provided by QR codes. This can lead to greater effectiveness in deceiving users and collecting sensitive information.

Examples of quishing cases

To better understand the scope of quishing, here are some examples of known cases of quishing attacks:

Case 1: Fake promotion of a clothing store

A user receives a flyer promoting a great discount at a popular clothing store. The flyer contains a QR code that promises to reveal further details about the offer. Unaware of the danger, the user scans the QR code with their smartphone, which redirects them to a counterfeit website that imitates the store’s official page. The website requires the user to enter their personal information, including credit card information, in order to obtain the discount. However, once the user provides such information, cyber criminals use it for fraudulent purposes, causing serious financial damage.

Case 2: Banking scam via QR code

A user receives an email apparently from their bank, stating that they need to update their account information for security reasons. The email contains a QR code that invites the user to scan to complete the update. Once the user scans the QR code, they are redirected to a counterfeit website that appears authentic. The site requires the user to enter their banking credentials, allowing criminals to gain access to the account and carry out financial fraud.

Case 3: Malicious QR codes on compromised websites

A user browses a legitimate website, but unfortunately compromised by hackers. While browsing the site, the user encounters a QR code that appears to be related to the content of the site. Curious, he scans the QR code with his smartphone, without realizing that it was inserted by the attacker. The QR code redirects him to a malicious web page that attempts to steal his personal or financial information.

Conclusions and precautions

Quishing represents a growing threat in the cybersecurity sphere. Cybercriminals exploit user trust and the widespread use of QR codes to trick people into obtaining sensitive information. To protect yourself from quishing, it is important to take some precautions:

  1. Verify the source: Before scanning a QR code, make sure you know the source it came from. Check the reliability of the issuer and look for any signs of forgery.
  2. Watch out for too-good-to-be-true offers: Be cautious about promotions and extraordinary offers, especially if they require the use of a QR code. Verify the authenticity of the offer through official channels before providing personal or financial information.
  3. Keep your software up to date: Make sure you keep your smartphone, operating system and applications up to date. Updates often include security patches that can protect you from known vulnerabilities used by attackers.
  4. Use reliable security solutions: Install antivirus and anti-malware applications on your mobile device to detect and block any threats.
  5. Education and awareness: Educate yourself and spread awareness about quishing and other forms of cyber attacks among friends, family and colleagues. Share tips and best practices to reduce the risk of falling victim to such attacks.

In conclusion, quishing represents a significant threat to cybersecurity. With the increased use of QR codes in everyday communication, it is crucial to be aware of the associated risks and take appropriate precautions to protect your personal and financial information.

Contattaci

Useful links:

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • SEC Consult SA-20250604-0 :: Local Privilege Escalation and Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice management) Demo version June 10, 2025
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20250604-0 > ======================================================================= title: Local Privilege Escalation and Default Credentials product: INDAMED - MEDICAL OFFICE (Medical practice management) Demo version vulnerable version: Revision 18544 (II/2024) fixed version: Q2/2025 (Privilege Escalation, Default Password)...
  • Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft June 10, 2025
    Posted by josephgoyd via Fulldisclosure on Jun 09Hello Full Disclosure, This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and undetectable crypto wallet exfiltration. Despite responsible disclosure, the research […]
  • Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection June 3, 2025
    Posted by Stefan Kanthak on Jun 03Hi @ll, user group policies are stored in DACL-protected registry keys [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] respectively [HKEY_CURRENT_USER\Software\Policies] and below, where only the SYSTEM account and members of the "Administrators" user group are granted write access. At logon the user&apos;s registry hive "%USERPROFILE%\ntuser.dat" is loaded with exclusive (read, write and...
  • CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 June 3, 2025
    Posted by Sanjay Singh on Jun 03Hello Full Disclosure list, I am sharing details of a newly assigned CVE affecting an open-source educational software project: ------------------------------------------------------------------------ CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 ------------------------------------------------------------------------ Product: CloudClassroom PHP Project Vendor:...
  • ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page June 3, 2025
    Posted by Ron E on Jun 03An authenticated attacker can inject JavaScript into the bio field of their user profile. When the profile is viewed by another user, the injected script executes. *Proof of Concept:* POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 Host: --host-- profile_info={"bio":"\">"}
  • ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path June 3, 2025
    Posted by Ron E on Jun 03An authenticated user can inject malicious JavaScript into the user_image field of the profile page using an XSS payload within the file path or HTML context. This field is rendered without sufficient sanitization, allowing stored script execution in the context of other authenticated users. *Proof of Concept:*POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 […]
  • Local information disclosure in apport and systemd-coredump June 3, 2025
    Posted by Qualys Security Advisory via Fulldisclosure on Jun 03Qualys Security Advisory Local information disclosure in apport and systemd-coredump (CVE-2025-5054 and CVE-2025-4598) ======================================================================== Contents ======================================================================== Summary Mitigation Local information disclosure in apport (CVE-2025-5054) - Background - Analysis - Proof of concept Local information disclosure in systemd-coredump...
  • Stored XSS via File Upload - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit "Profile" > "Edit […]
  • IDOR "Change Password" Functionality - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ IDOR "Change Password" Functionality #1: Steps to Reproduce: 1. Login as user with low privilege and visit profile page 2. Select […]
  • Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Send Message" Functionality #1: Steps to Reproduce: 1. Login as normal user and visit "Profile" > "Message" > […]

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
See All Reviews
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 12 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
La Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
Servizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
Excellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
Servizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
Ottima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
Azienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
Ho avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
Ottimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Gabriele Petralia
Gabriele Petralia
12:28 18 Apr 18
Luca Prati
Luca Prati
10:12 18 Apr 18
Azienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
More Reviews
js_loader
payments gateway
About