Recently, the Cyble Research & Intelligence Labs (CRIL) team discovered a global – scale scam called Scanception, which uses QR code – tagged PDFs to trick users into scanning codes and thereby gaining account permissions, even when multifactor authentication (MFA) is enabled.

0a38ecf297a51efb47b4.jpg

Operation Scanception has not been attributed to a specific group, but is clearly run by a professional cybercriminal group. They take advantage of phony emails that come with PDFs that are designed to look like real documents, such as: pay notices, customer service announcements, service reviews, offers, employee handbook, internal notifications, etc.

The uniqueness and danger of this campaign is that the attack takes place outside the corporate system. When the recipient used a personal phone to scan the code, they were redirected to fraudulent websites posing as Microsoft 365. Computer security software, firewalls, email systems, etc., are completely outclassed by malicious code that does not execute on your device.

CRIL analyzed over 600 PDFs during the campaign and found that 80% were undetected by any antivirus tool. Each QR code leads to a complex sequence of redirects, often leading to familiar, reputable sites such as Google, YouTube, Bing, Medium, etc., before switching to a fraudulent website and hiding the actual link.

When a user logs in, an “Adversary – in – the – Middle” (AITM) attack records the login information and also the MFA authentication code in real time. The hacker can then take over access to the account as if they were a real user.

The Scanception campaign has spread to more than 50 countries, targeting important occupations, such as: technology, finance, health and manufacturing. What’s scary is the way they personalize email and document content to match each organization’s work environment, increasing the likelihood that users will “fall the trap.”

Many people have a “quick QR scan” mentality, especially if the document looks very real and asks “scan to see the next part” or “confirm the information.” At the same time, personal phones are largely unprotected by layers of security controls, making them a lucrative proposition.

Operation Scanception was a clear demonstration that cybercrime was evolving and that traditional methods of security were no longer sufficient. Believing in logos, document formats, or even MFA authentication codes is no longer a “safety net.”

The “Scanception” campaign exploits vulnerabilities in user perception and the very traditional email unfiltering operation, which tricks users into scanning QR codes in PDFs. Sophisticated technique, MFA-approved bypasses, difficult to detect and spreading globally. WhiteHat experts recommend:

  • Warn users to NOT scan QR in unknown PDF/email unless source is specified.
  • Block redirect URL access from QR (form: google.com/url?q=…).
  • Implement sandbox or ATP for remote email PDFs.
  • Install security software on your personal devices if they are used for work.
  • Enhancing surveillance of unusual access activity even when logging in has MFA.
  • SIEM/EDR rule update detects PDF files containing QR.
  • The organization should provide training on Phishing via QR to its human resources, finance, and support staff.

In an age of ubiquitous QR codes, personal phones are a new source of user vulnerability. Security is now more than just “keeping the door” on a computer, but must also incorporate, creeping into the habits of individual users.