Redazione RHC : 4 September 2025 15:34
In recent years, a particularly insidious form of phishing has become widespread: Quishing or QRishing, a strategy based on the use of QR codes containing malicious links that, once scanned, redirect victims to fake websites specifically created to steal their credentials or sensitive information.
Experts at Barracuda Networks, a leading cybersecurity solutions provider offering comprehensive protection from complex threats for businesses of all sizes, have discovered two innovative techniques used by cybercriminals to allow malicious QR codes to bypass security systems in phishing attacks. These tactics, described in detail in a new report, They involve splitting a QR code into two parts to confuse traditional scanning systems, or inserting a malicious QR code within or next to a second legitimate QR code.
In particular, Barracuda analysts have observed these splitting and merging (or, as they are technically called, “nesting”) techniques in attacks conducted using some of the leading Phishing-as-a-Service (PhaaS) kits, such as Tycoon and Gabagool.
The hackers who used Gabagool used split QR codes in a scam that It simulates a password reset request from Microsoft. Their strategy involves splitting the QR code into two separate images and inserting them closely together in a phishing email.
This way, the image appears to the human eye as a single code. However, when traditional security systems analyze the message, they detect two separate, harmless-looking images, rather than a complete QR code. But if the recipient scans the image, they’re redirected to a maliciously crafted phishing site designed to steal their credentials.
The Tycoon PhaaS kit, on the other hand, uses nesting to surround a legitimate QR code with a malicious one: the outer QR code redirects to a malicious URL, while the inner QR code redirects to Google. This technique is likely designed to make it more difficult for scanners to detect the threat, as the results appear ambiguous.
“Malicious QR codes are widely used by cybercriminals because they look legitimate and can bypass traditional security measures, such as email filters and URL scanners,” says Saravanan Mohankumar, manager, threat analysis team at Barracuda.
“Because recipients often need to use a mobile device to scan the code, they end up operating outside the security perimeter of computers and, consequently, their protections. Cybercriminals continue to experiment with new techniques to stay ahead of defense measures. Therefore, integrated, AI-enhanced protection can really make a difference.”
In addition to adopting fundamental basic practices such as cybersecurity awareness and training, multi-factor authentication, and robust spam and email filters, email, it’s important to consider introducing multi-layered email protection that includes multi-modal AI capabilities to detect ever-evolving threats. Multi-modal AI strengthens protection by identifying, decoding, and inspecting QR codes without the need to extract embedded content.
Redazione