Like a college a cappella group with hundreds of fliers to scatter around campus, fraudsters are placing malicious QR codes everywhere—now, reportedly, even in presentation software and parking meters.

The evasive tactic, which relies on the checkered image common to menus and boarding passes alike, targets users’ more personal and less protected devices.

“You’re highly unlikely to use your PC to access that website through the QR code. So, you will use your mobile device, which essentially allows for that attack to be moved from a PC, which is usually a lot more protected and has a lot more guardrails provided by an organization,” Olesia Klevchuk, director of product marketing at security vendor Barracuda, told IT Brew, adding that volumes of QR-style attacks are “still pretty small overall, but they are on the rise.”

QR here. Barracuda’s June 2024 threat report found that 1 in 20 inboxes faced QR-code attacks in the last quarter of 2023. According to Klevchuk, Barracuda detected 740 QR-code phishing instances in June, and 1,100 per day in August. (Barracuda sees around 1 million email attacks per day, Klevchuk said.)

Read the rest here.—BH

Yep. Pretty much everyone is saying it, actually. AI think pieces, strategies, and insights are almost everywhere. So where can we cut through the noise and get to the relevant stuff?

At Amazon Web Services’ (AWS) upcoming event centering on AI. Join Forrester and top software providers to learn how AI is transforming operations. Discover implementation strategies, ROI analysis, and performance-boosting tools for the C-suite.

Learn from industry leaders on how to implement AI strategically, measure its impact, and position your business for long-term success.

All you’ve gotta do is register here.

Link shorteners, IP geolocation utilities, and CAPTCHAs are among a few of the latest tools within the threat actor “playbook” for amplifying malicious campaigns.

Digital analytic and advertising tools are no longer limited to professionals in their respective industries. In a recent blog post, researchers from Mandiant and Google Cloud claimed that bad actors are weaponizing these innovative tools to add malicious data analytics—dubbed “malnalytics”—capabilities to their campaigns to expand their reach and evade detection by security tools.

Gone phishing. The researchers wrote that threat actors are using link-shortening services for purposes beyond beautifying a long link. Instead, attackers are using link shorteners to conceal the URL of malicious landing pages and redirect victims during the initial access phase of an attack chain. In one example provided, cyber espionage group MuddyWater used link shorteners to guide users to a phishing lure document hosted on a cloud storage provider in 2022.

DomainTools Product Marketing Manager Malachi Walker told IT Brew that he saw the tactic used throughout an Arc web browser launch campaign.

“I found a couple of them that are either spelled ‘ark windows’ or ‘aru windows,’ where it’s very close and if they have the right picture…[and] the right URL masked over it, you might not even notice it,” Walker said.

Read more here.—BM

It’s 10 pm. Do you know where your children’s identities are?

Identity protection is a priority for everyone, and children are as exposed as anyone—maybe even more. Obtaining childrens’ Social Security numbers (SSNs) is the main way that attackers can obtain their identities, which they then use to open credit cards and manipulate finances.

Stuart Vaeth, SVP of strategic business development at identity management company Trua, told IT Brew that the age gap between children acquiring an SSN and coming of age to use it is a major reason that ID numbers are stolen. They’re right there for the taking.

“It’s well understood by thieves and everybody that children don’t use their SSNs until they’re 18—they get a credit card and they start to use their SSN for applying,” Vaeth said. “So, those SSNs are right to be stolen and used without any detection.”

Keep reading here.—EH

Meet your org’s writing assistant. From crafting first drafts to perfecting mission-critical comms, Grammarly maximizes communication efficiency across your org without compromising security or privacy. Grammarly provides AI-powered support across 500,000+ apps and websites, backed by the highest compliance standards. And it’s implemented org-wide in just one day. Check it out.