Security Market Segment LS
  • Home
  • Business IT
  • Security
  • Phishing gangs use split and nested QR codes to evade detection in new wave of ‘Quishing’ attacks
Friday, 22 August 2025 11:33

Phishing gangs use split and nested QR codes to evade detection in new wave of ‘Quishing’ attacks

By Barracuda
Phishing gangs use split and nested QR codes to evade detection in new wave of ‘Quishing’ attacks

Barracuda threat analysts have uncovered two innovative techniques being used by cyber attackers to help malicious QR codes evade detection in phishing attacks. The techniques, detailed in a new threat report, involve splitting a malicious QR code in two to confuse traditional scanning systems, or nesting the malicious QR code within or around a second, legitimate QR code.

Quishing is a form of phishing that involves the use of QR codes embedded with malicious links that, when scanned, redirect victims to fake websites designed to steal their credentials or other sensitive information. 

The analysts found the split and nesting techniques in attacks by leading phishing-as-a-service (PhaaS) kits Tycoon and Gabagool. 

Split QR codes

The Gabagool attackers were implementing split QR codes in a fake Microsoft ‘password reset’ scam. Their technique involves splitting the QR code into two separate images and embedding them close together in a phishing email. To the human eye it looks like a single QR code. However, when traditional email security solutions scan the message, they see two distinct and benign looking images rather than one complete QR code. If the recipient scans the image, they are directed to a phishing website designed to steal credentials.

Nested QR codes 

The Tycoon PhaaS was found using the nesting technique to wrap a malicious QR code around a legitimate QR code. The toxic outer QR code pointed to a malicious URL, while the inner QR code leads to Google. This technique is likely designed to make it harder for scanners to detect the threat because the results are ambiguous. 

“Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners,” said Saravan Mohankumar, Manager, Threat Analysis team at Barracuda. “Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures. It’s an area where integrated, AI-powered protection can really make a difference.”

Defending against evolving QR codes 

Alongside the essential basics of security awareness training, multifactor authentication and robust spam and email filters, organizations should consider multi-layered email protection that integrates multimodel AI capability to detect rapidly evolving threats. Multimodal AI enhances detection by identifying, decoding and inspecting the QR code without needing to extract the embedded content. 

To read the blog: https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks

Read 1328 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




Maximising Cloud Efficiency - LUMEN WEBINAR 23 April 2025

According to KPMG, companies typically spend 35% more on cloud than is required to deliver business objectives

The rush to the cloud has led to insufficient oversight, with many organisations struggling to balance the value of cloud agility and innovation against the need for guardrails to control costs.

Join us for an exclusive webinar on Cloud Optimisation.

In this event, the team from Lumen will explain how you can maximise cloud efficiency while reducing cost.

The session will reveal how to implement key steps for effective cloud optimisation.

Register for the event now!

REGISTER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under

Related items

More in this category: « HID Unveils Advanced Biometric Facial Recognition and New Passwordless Authentication Technology
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments