QR Codes, Audio Notes, and Voicemail - Clever Tricks Up a Phisher’s Sleeve

Written by David Balaban.

Cybercriminals are increasingly cashing in on human gullibility rather than the security flaws of software architecture. It comes as no surprise that phishing, the dominating vector of social engineering attacks targeting individuals and businesses alike, is on a steady rise. In many scenarios, a legit-looking email with a toxic link on board suffices to hoodwink the recipient into handing over their credentials on a fake login page.

As security awareness becomes mainstream, many users are leery enough to stay away from this classic cyber chicanery. Furthermore, email providers and antimalware vendors have been fine-tuning their protection toolkits to catch up with the rapidly evolving menace. Improved email security is also one of the benefits of managed IT services that are gaining traction with enterprises today. However, there is a caveat.

Although white hats have had some success in detecting and thwarting these hoaxes through features like email gateways, phishers still appear to be at least one step ahead with their tactics. Several unusual campaigns have demonstrated how evasive the present-day phishing attacks can get.

QR codes weaponized

The popularity of quick response (QR) codes has put them in cybercrime’s spotlight. In recent years, these instruments for easy access to information have been abused on a growing scale to scam people and orchestrate malware campaigns.

In a typical QR phishing attack, the malefactor creates two-dimensional matrix barcodes that conceal malicious URLs. These innocuous-looking objects are often placed in phishing emails, text messages, or social media posts, enticing users to scan them. The content behind these sketchy QR codes may lead to fake websites that mimic trusted services and prompt the would-be victim to enter their login credentials, financial information, or other sensitive data.

Also known as quishing, this tactic was first unearthed in late 2021 in a wave of phishing emails pretending to be from FedEx or DHL. The recipients were instructed to scan the rogue QR codes to update delivery details or pay customs fees. Instead, they would end up on a legitimate-looking credential phishing page.

Quishing is such a lure for threat actors because some email filters can’t interpret QR codes and therefore don’t flag such messages as potentially malicious. That being said, the onus is largely on end-users to avoid such scams. It’s strongly recommended to inspect each URL such a code leads to. Another layer of defense comes down to multi-factor authentication, especially in enterprise environments where one compromised account can become an entry point for a network breach.

Phony audio note messages on the threat map

A particularly intricate phishing stratagem originally abuses Microsoft OneNote service to dupe users into visiting a bogus authentication page. This wave of persuasive brainwashing relies on emails that say “New Audio Note Received” in their subject field. The message tries to convince the user that they have a new audio note from a contact in their address book.

To look trustworthy, the email body additionally contains details on the call duration and the date the message was allegedly received. Another element of reassurance is that the footer includes a phrase about the email having been scanned by “McAfee Ultimate Antivirus Scanning Service for Microsoft”. A little bit of research reveals that such a security solution doesn’t appear to even exist, yet the expression might dispel some recipients’ doubts regarding the authenticity of the message.

If a victim happens to fall for this fraud, they might click the link saying “Listen to full message here”, only to end up on a counterfeit OneNote Online web page. Interestingly, the phishing domain is hosted on Microsoft’s Sharepoint.com platform. It means that the dodgy site uses a valid digital certificate; therefore, it looks credible to prudent visitors and isn’t likely to get blacklisted by web browsers or internet security suites.

The landing page instructs the victim to click one more link so that the purported audio message finally becomes available. However, the link redirects to a faux sign-in site (also hosted on Sharepoint.com service) asking the user to authenticate with their email address and Microsoft account password. Once these credentials are entered, they are sent to the operators of the phishing scam who can then perpetrate account takeover.

Fabricated Microsoft voicemail alerts serve as bait

In another phishing campaign, malefactors are forging Microsoft 365 voicemail notifications to get victims on their hook. By stating that the recipients have a missed voice message, the fraudulent emails try to fool them into opening an attached HTML file that forwards the web browser to a bogus login page while engaging an offbeat URL obfuscation technique.

According to researchers who unveiled this ploy, the above-mentioned email attachment contains an encoded JavaScript string that triggers a web traffic redirect command as soon as the HTML object is opened. As a result, the user first goes to a harmless intermediary page which, in turn, automatically resolves another URL requiring that the user solve a Captcha. With this technique in play, the dodgy page is more likely to fly under the radar of URL analysis tools.

As soon as the unwitting user passes the Captcha test, their browser is rerouted to a final credential phishing page whose design mimics Microsoft 365 sign-in. In a progenitor of this hoax originally spotted in 2019, the victim would instead visit a page called “Voicemail Management System” requesting the same authentication info. Once entered, these details are forwarded to the felons’ backend server.

As per analysts’ findings, the phishing fraud based on malicious HTML attachments mainly zeroes in on US-based organizations representing verticals such as military, healthcare, manufacturing supply chain, and security software. Credentials stolen from regular employees can become a springboard for expanding the attack surface and conducting industrial espionage.

In light of the growing trend, the admins of business IT networks are recommended to configure email systems to automatically block HTML entities that land in users’ inboxes. It turns out that they can be nearly as harmful as malware executables.

Phishing prevention best practices

The modern advanced filtering mechanisms can stop most phishing scams in their tracks, but not all of them. Therefore, relying entirely on these technologies is a slippery slope that might not be enough to stay safe. The following additional precautions will boost your efforts to avoid falling victim to phishing attacks.

• Don’t click on links embedded in emails.
• Never open attachments received from unknown senders.
• When entering credentials in a login form, make sure it’s HTTPS rather than HTTP.
• Check the linked-to URLs for authenticity (pay attention to typos and other inaccuracies).
• Scrutinize emails for grammar, spelling, and punctuation mistakes. Many phishers don’t proofread their text.
• Ignore messages that specify a deadline for doing something or otherwise imply urgency.
• Scammers often harvest publicly available data about individuals and use it to concoct spear-phishing emails that pull the strings. Consider removing personal information from the internet to thwart such open-source intelligence (OSINT) attempts.
• Know your business to identify messages that don’t fit the mold of your normal email correspondence.
• If you receive a wire transfer request (ostensibly from your boss), confirm it in person. A phone call is usually enough to double-check its legitimacy.
• Don’t overshare personal information on social networks.
• Use a reliable internet security suite and a firewall.
• If you are a business owner, set up a phishing awareness training program if you haven’t already.

A growing trend and arguably the next big thing in the area of foiling these attacks is to leverage techniques based on machine learning and artificial intelligence (AI). A mix of this approach and long-standing traditional methods can detect phishing attempts much more effectively.

The bottom line

Phishers are adding new sophisticated techniques to their repertoire. To bypass conventional security mechanisms, their schemes may involve legit-looking websites with digital certificates issued by trusted entities. In some cases, the victims’ internet traffic travels through a series of harmless pages before reaching the phishing form. The abuse of QR codes helps fraudsters cloak their malicious URLs. All these quirks make the attacks harder to detect.

To top it off, the increasingly eye-catching themes of these messages entice the recipients to keep clicking. At the end of the day, the most reliable prevention tactic is to combine automated defenses with vigilance stemming from proper security awareness.

About the Author

David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.