Trying to make sense of recent QR code phishing targeting US institutions

Jason Mills · Tuesday at 7:03 AM

Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

Ethan Hughes · Tuesday at 7:05 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

Thanks for sharing this. I hadn’t heard about QR code phishing in this way before. I usually think of phishing as emails or links, but using QR codes seems clever. Do you know if there have been any confirmed cases where credentials were actually stolen this way, or is it mostly a warning?

James Thomas · Tuesday at 7:05 AM

Ethan Hughes said:
Thanks for sharing this. I hadn’t heard about QR code phishing in this way before. I usually think of phishing as emails or links, but using QR codes seems clever. Do you know if there have been any confirmed cases where credentials were actually stolen this way, or is it mostly a warning?

I think the FBI report mentions incidents targeting government and academic accounts, but I don’t recall if they gave exact numbers of successful breaches. The idea that they can bypass MFA is a bit concerning, though. It makes me think that mobile devices might be the weakest link here.

Amelia Bennett · Tuesday at 7:06 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

This is fascinating. I’ve seen QR codes used for payments and promotions, but not much as a phishing tool. The redirection to collect session tokens seems particularly sneaky. I wonder how much training employees in spotting suspicious QR codes actually helps in practice.

Emily Carter · Tuesday at 7:06 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

I’ve been following Kimsuky a little. From past reports, they seem to focus on very specific high-value targets rather than random users. So if you’re in a smaller organization, the risk might be lower, but still not zero.

Jason Mills · Tuesday at 7:07 AM

Ethan Hughes said:
Thanks for sharing this. I hadn’t heard about QR code phishing in this way before. I usually think of phishing as emails or links, but using QR codes seems clever. Do you know if there have been any confirmed cases where credentials were actually stolen this way, or is it mostly a warning?

Yes, the report implies that once the session token is captured, MFA might not even trigger an alert, because the attackers can use the token to log in directly. It’s different from traditional password-only phishing.

Emily Watson · Tuesday at 7:07 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

I’m curious about the technical part. How does this QR code bypass MFA exactly? I know the report mentions session token replay, but does that mean even a correctly entered MFA code wouldn’t stop them?

Ethan Hughes · Tuesday at 7:08 AM

Jason Mills said:
Yes, the report implies that once the session token is captured, MFA might not even trigger an alert, because the attackers can use the token to log in directly. It’s different from traditional password-only phishing.

Ah, that explains it. That is really sneaky. Makes me rethink scanning QR codes in emails or untrusted sources entirely.

James Thomas · Tuesday at 7:08 AM

Amelia Bennett said:
This is fascinating. I’ve seen QR codes used for payments and promotions, but not much as a phishing tool. The redirection to collect session tokens seems particularly sneaky. I wonder how much training employees in spotting suspicious QR codes actually helps in practice.

Training probably helps, but only if employees are vigilant. The problem is these QR codes look very legitimate, sometimes even embedded in images that look official.

Amelia Bennett · Tuesday at 7:08 AM

James Thomas said:
Training probably helps, but only if employees are vigilant. The problem is these QR codes look very legitimate, sometimes even embedded in images that look official.

Exactly. It seems like part of the defense has to be technical too, like mobile device management or security apps that analyze QR links.

Emily Carter · Tuesday at 7:09 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

I also wonder how widespread this attack vector is outside government agencies. Are commercial organizations being hit too, or is it mainly targeted attacks?

Emily Watson · Tuesday at 7:09 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

The report focuses on high-profile targets, but similar tactics could be adapted for businesses if attackers think it’s profitable. It’s worth being cautious even if you’re not in government or academia.

Jason Mills · Tuesday at 7:09 AM

Amelia Bennett said:
Exactly. It seems like part of the defense has to be technical too, like mobile device management or security apps that analyze QR links.

Yes, that’s what I thought too. The multi-layered defense seems crucial because human vigilance alone probably isn’t enough.

Ethan Hughes · Tuesday at 7:10 AM

Emily Carter said:
I also wonder how widespread this attack vector is outside government agencies. Are commercial organizations being hit too, or is it mainly targeted attacks?

Makes sense. Still, it’s amazing how something as mundane as a QR code can be weaponized in this way.

James Thomas · Tuesday at 7:10 AM

Emily Watson said:
The report focuses on high-profile targets, but similar tactics could be adapted for businesses if attackers think it’s profitable. It’s worth being cautious even if you’re not in government or academia.

I guess the takeaway is to be skeptical of QR codes from emails or unexpected messages. Even official-looking ones could be malicious.

Amelia Bennett · Tuesday at 7:11 AM

Jason Mills said:
Hey everyone, recently I found some interesting info in an FBI report about a North Korean group called Kimsuky. It seems they are using QR codes in phishing emails to try and steal login credentials from US government institutions, think tanks, and academic organizations. The emails reportedly look quite convincing, and since QR codes are harder for normal protections to detect, they can bypass some standard security measures.

From what I understand, when someone scans these QR codes, they get redirected through multiple pages that collect info like device type, location, and other identifiers before reaching a fake login portal for services like Microsoft 365, Okta, or VPNs. The report mentions that this can even bypass multi-factor authentication, which surprised me a bit because MFA is usually a strong layer of defense.

The FBI suggests a “multi-layered” defense, like employee training, protocols for reporting suspicious QR codes, and mobile device management for analyzing these links. I’m curious if any of you have heard about Kimsuky’s activity before or seen similar attacks in other contexts. It makes me wonder how widespread these QR-based phishing attacks really are, especially for organizations outside the usual corporate setup. Also, are there particular signs we could look for when scanning QR codes to avoid falling into traps like these?

Just wanted to start a conversation to see what others think. The report is publicly available and seems to be based on solid observations, but the whole quishing technique seems pretty sneaky and not something most people would anticipate.

Do we know if there are any public tools or apps that can pre-check QR codes before scanning? Could be helpful for organizations deploying MFA-sensitive apps.

Emily Carter · Tuesday at 7:11 AM

Amelia Bennett said:
Do we know if there are any public tools or apps that can pre-check QR codes before scanning? Could be helpful for organizations deploying MFA-sensitive apps.

I’ve heard some QR scanning apps can flag suspicious links, but nothing foolproof. It’s probably safer to type in URLs manually if you can verify them.

Emily Watson · Tuesday at 7:11 AM

James Thomas said:
I guess the takeaway is to be skeptical of QR codes from emails or unexpected messages. Even official-looking ones could be malicious.

That’s a good point. The “trust no QR code” mentality seems like it should be part of training sessions at least.

Ethan Hughes · Tuesday at 7:12 AM

Emily Watson said:
That’s a good point. The “trust no QR code” mentality seems like it should be part of training sessions at least.

I wonder if there’s been any guidance on what kind of redirect chains are typical for these attacks. Maybe IT teams can spot patterns early.

Jason Mills · Tuesday at 7:12 AM

Emily Carter said:
I’ve heard some QR scanning apps can flag suspicious links, but nothing foolproof. It’s probably safer to type in URLs manually if you can verify them.

Yes, that seems to be part of what the FBI recommends monitoring URL patterns and educating employees on what unusual redirects look like.

Trying to make sense of recent QR code phishing targeting US institutions

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Legal notice