The National Cyber Security Centre Finland’s weekly review – 27/2023

Topics covered in this week’s review

• QR codes are used more often in phishing
• Electronic SIM provides criminals with a new mode of attack

QR codes are used more often in phishing

‘Quishing’ is phishing carried out using a QR code. The victim is lured to scan a QR code with their smartphone or tablet. QR codes are easy to open using a smartphone or tablet due to their built-in camera made to recognise a QR code.

Criminals can create an authentic-looking QR code and use it to advertise special offers or prompt the user to accept an urgent information security update. Criminals distribute the QR codes via email, social media, and even physical flyers and stickers. The ‘quishing’ messages aim to create a feeling of urgency just like other phishing messages, but they lack the familiar links and attachments.

We have published an extensive article explaining what can happen if you have scanned a harmful QR code, and what you should do after scanning the code.

The original article was published on 6 July 2023 in Finnish. (External link)

Electronic SIM provides criminals with a new mode of attack

‘SIM swapping’ has been an international topic of conversation for some time already. The scam usually starts with a phishing message, which may come through any application or communication channel. The aim is to obtain the victim’s personal information, which can then be used by the criminal to request the operator to transfer the subscription to another SIM card.

Once the criminal has control of the victim’s mobile subscription, any messages and calls to the subscription are forwarded to the criminal’s phone. This way, the criminal can accept two-factor authentication or change passwords, for example, as the confirmation messages and phone calls come directly to the criminal. In addition to gaining access to accounts, the criminal can take out instant loans or shop online while using the victim’s identity, which may cause significant financial damage to the victim.

The misuse of the eSIM is another separate problem. An online criminal can activate a victim’s mobile subscription in their own device by registering the subscription on an eSIM in a device controlled by the criminal. In order to activate an eSIM, the user must request a QR code in their email and read it using the device in which the subscription is to be activated. If the criminal knows the victim’s phone number and has access to their email or the required QR code, they can hijack the subscription and use it themselves.

Read more about SIM card scams (in Finnish) (External link)