Date: 10/18/2024
Severity: Critical
Summary
Attackers are using QR codes in PDF email attachments to spearphish corporate credentials from mobile devices, prompting security professionals to stay vigilant against evolving threats. The Sophos X-Ops team recently investigated phishing attacks that targeted several employees, with one falling victim and revealing their information. This technique, known as "quishing" (a blend of “QR code” and “phishing”), uses QR codes to quickly share URLs. Unlike plain text URLs, QR codes are harder to scrutinize, making them a deceptive tool for attackers.
Indicators of Compromise (IOC) List
Domains\URLs : | login.banowash.com banowash.com login.khoshnaamcc.com khoshnaamcc.com erispub.it driv.sharedfiledrive.com sharedfiledrive.com uAa.iancendit.com iancendit.com pub-4d4edb0d119c468c81820c36344b6d98.r2.dev lbts.doclawconsultant.com https://login.banowash.com/ https://login.khoshnaamcc.com/ https://erispub.it/wp-admin/user/reset/?mail=[email] https://driv.sharedfiledrive.com/[email] https://uAa.iancendit.com/9uCUGa/[email] https://de-xinsports.com/gstqiwyva.html https://pub-4d4edb0d119c468c81820c36344b6d98.r2.dev/hayehsoowpg https://lbts.doclawconsultant.com/Bj12z/?e= |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | userdomainname like "uAa.iancendit.com" or url like "uAa.iancendit.com" or userdomainname like "pub-4d4edb0d119c468c81820c36344b6d98.r2.dev" or url like "pub-4d4edb0d119c468c81820c36344b6d98.r2.dev" or userdomainname like "khoshnaamcc.com" or url like "khoshnaamcc.com" or userdomainname like "login.banowash.com" or url like "login.banowash.com" or userdomainname like "banowash.com" or url like "banowash.com" or userdomainname like "erispub.it" or url like "erispub.it" or userdomainname like "login.khoshnaamcc.com" or url like "login.khoshnaamcc.com" or userdomainname like "lbts.doclawconsultant.com" or url like "lbts.doclawconsultant.com" or userdomainname like "https://uAa.iancendit.com/9uCUGa/[email]" or url like "https://uAa.iancendit.com/9uCUGa/[email]" or userdomainname like "https://driv.sharedfiledrive.com/[email]" or url like "https://driv.sharedfiledrive.com/[email]" or userdomainname like "https://lbts.doclawconsultant.com/Bj12z/?e=" or url like "https://lbts.doclawconsultant.com/Bj12z/?e=" or userdomainname like "https://de-xinsports.com/gstqiwyva.html" or url like "https://de-xinsports.com/gstqiwyva.html" or userdomainname like "https://erispub.it/wp-admin/user/reset/?mail=[email]" or url like "https://erispub.it/wp-admin/user/reset/?mail=[email]" or userdomainname like "driv.sharedfiledrive.com" or url like "driv.sharedfiledrive.com" or userdomainname like "sharedfiledrive.com" or url like "sharedfiledrive.com" or userdomainname like "https://login.banowash.com/" or url like "https://login.banowash.com/" or userdomainname like "https://login.khoshnaamcc.com/" or url like "https://login.khoshnaamcc.com/" or userdomainname like "https://pub-4d4edb0d119c468c81820c36344b6d98.r2.dev/hayehsoowpg" or url like "https://pub-4d4edb0d119c468c81820c36344b6d98.r2.dev/hayehsoowpg" |
Reference:
https://news.sophos.com/en-us/2024/10/16/quishing/