QUISHING - QR Code Phishing Attack - Covert Operation Tradecraft | RDCTD Quishing, a portmanteau of “QR” and “phishing,” is a cyber attack using seemingly harmless QR codes to deceive targets into revealing sensitive information, downloading malware, or engaging with malicious websites.

LINER TRADECRAFT

What makes this attack especially dangerous is its low visibility and the innate trust people place in QR codes and the ease of “reading” them. Unlike links in emails, QR codes can’t be visually verified by the human eye.

Quishing exploits the one habit no firewall can fix: blind trust in convenience and normalcy.

They’re compact, versatile, and easy to place in the physical or digital world. This is what makes quishing an increasingly favored phishing / hacking technique among both cybercriminals and state-sponsored actors.

LINER TRADECRAFT

LINER TRADECRAFT

        QUISHING

Quishing is a type of scam where the attacker use QR codes to trick you into visiting fake websites or downloading harmful software. You might see these QR codes on posters, emails, or stickers placed over real ones – promising free Wi-Fi, gift cards, or important updates. When you scan them with your phone, you’re unknowingly sent to a malicious site that can steal your passwords, personal info, or infect your device. It’s phishing, but instead of clicking a suspicious link, you’re scanning a code that looks harmless.

LINER TRADECRAFT

LINER TRADECRAFT

Quishing - QR Code Phishing Attack - Covert Operation | Tradecraft

LINER TRADECRAFT

LINER TRADECRAFT

        HOW QUISHING WORKS

QR codes are machine-readable images that encode data. Most often, that data is a URL. When scanned, it sends the user’s device to that destination. In a legitimate case, that might be a restaurant menu, a coupon code or payment portal. In a quishing attack, it’s a trap that the user willingly springs.

STEP 1)   QR Code Deployment

An attacker prints and places malicious QR codes in high-traffic areas: bulletin boards, cafés, hotel lobbies, conference centers. They might cover a legitimate QR code with a malicious sticker or drop cards with QR codes in random mailboxes. Digitally, they can be embedded in phishing emails, PDFs, or even shared over messaging platforms.

STEP 2)   Lure Tactic

The QR code promises a reward or an action; “Scan for WiFi,” “Free tickets,” “COVID Test Result,” “Login for Delivery Issue,” etc. It uses urgency or curiosity to prompt action.

STEP 3)   Redirection and Exploitation

Credential Harvesting:   The code redirects to a fake website that looks legitimate and prompts for login info.

Malware Delivery:   It can initiate an app download or trigger a browser exploit, especially on unpatched systems.

Payment or Crypto Fraud:   Sends the user to a page requesting payment, or tricks them into sending cryptocurrency.

The core of the attack is social engineering, but the delivery vector, QR code, bypasses the instincts we’ve built around suspicious links.

LINER TRADECRAFT

LINER TRADECRAFT

        QUISHING EFFICACY

The success of quishing lies in how seamlessly it blends into everyday life. People use QR codes everywhere, from menus and parking meters to payments and event check-ins, without thinking twice.

That familiarity, combined with our tendency to trust technology that’s become routine, creates an ideal opening for exploitation.

Quishing works because QR codes are visual noise to the average person. You can’t see what’s behind a QR code without scanning it. That removes the ability to “hover and verify” like you would with a URL in an email.

Trust Bias:   People associate QR codes with convenience and legitimate services.

Physical Placement:   A malicious QR code in a real-world location creates a false sense of authenticity.

Cross-Platform Reach:   QR codes work on smartphones, which are generally more vulnerable than desktops due to outdated software, poor app vetting, and user negligence.

Bypasses Traditional Filters:   QR codes can slip past email filters and security systems that would normally flag or block suspicious links.

Human Curiosity and Impulse:   The quick, no-effort action of scanning a QR code often bypasses our usual caution, especially when there’s a reward or sense of urgency involved.

Lack of URL Awareness:   Even if the QR scanner previews the link, most people don’t scrutinize URLs carefully enough to catch subtle differences in spoofed websites.

In covert operations, especially when traveling or working in denied areas, QR codes are an ideal vector for targeted attacks. You’re mobile, often disconnected from secure networks, and reliant on public infrastructure. That’s when adversaries strike.

LINER TRADECRAFT

LINER TRADECRAFT

        QUISHING EXAMPLES
Compromised Hotel Lobby Signs

A known case involved operatives being lured into scanning a QR code on a hotel reception sign advertising “Secure WiFi.” The code redirected to a captive portal mimicking the hotel’s legitimate network but actually logged credentials and pushed spyware.

Targeted Conference Lures

At security conferences, threat actors have used branded conference QR codes to direct users to clone sites of legitimate vendors or services, harvesting logins for further intrusion.

Mail-based Attacks

Intelligence officers in allied nations have received QR-embedded documents claiming to come from embassy partners, purportedly for updates or contact syncs, that actually triggered location tracking or malware installs.

Parking Meter Spoofing

In several major cities, threat actors have placed QR code stickers on parking meters, directing users to fake payment portals. Operatives using local rentals or undercover vehicles unknowingly entered payment credentials into these clones, leading to credit card theft and possible traceability of movements.

Tampered Restaurant Menus Abroad

During a diplomatic mission, an operative scanned a QR code for a restaurant menu in a high-threat region. The code launched a malicious app disguised as a local food delivery service, which installed a surveillance tool designed to access SMS and location data.

NGO Field Worker Breach

A front organization working under an NGO cover received a shipment of relief supplies. Inside the box was a “customs verification” sheet with a QR code. An analyst scanned it, triggering a download that exploited an Android zero-day, granting remote access to the device camera and mic. The breach wasn’t discovered for weeks.

Each of these examples demonstrates how quishing operates across physical and digital environments, exploiting human behavior and operational pressure. Whether it’s a subtle attack on a field asset or a widespread tactic targeting event attendees, the threat is real—and persistent.

LINER TRADECRAFT

LINER TRADECRAFT

        DEFENSE AGAINST QUISHING

REDACTED LOCKER


REDACTED LOCKER


REDACTED LOCKER


REDACTED LOCKER


REDACTED LOCKER


REDACTED LOCKER

LINER TRADECRAFT

LINER TRADECRAFT

QUISHING - QR Code Phishing Attack - Covert Operative Tradecraft | RDCTD

LINER TRADECRAFT

LINER TRADECRAFT

        CONFIRMED QUISHING ATTACKS
Texas Parking Meter Scam (2022)

In Austin, San Antonio, and Houston, attackers placed fraudulent QR code stickers on public parking meters. These codes redirected drivers to spoofed payment websites that stole credit card information. City officials later confirmed that municipal parking meters did not use QR codes at all, highlighting how easy it was to exploit public trust in everyday systems.

FBI Warning on QR Code Scams (2022)

The FBI issued a public advisory after reports surged about malicious QR codes being used in phishing campaigns. Victims received emails or physical mailers with QR codes directing them to fake banking or authentication websites. Some of these codes even initiated cryptocurrency thefts by rerouting payments or stealing wallet credentials.

German Energy Company Attack (2023)

A European energy firm fell victim when employees received QR codes on printed invoices that appeared to be from internal departments. Scanning the code led to a login page mimicking the company’s internal portal. Multiple staff members entered credentials, giving attackers access to sensitive SCADA-related communications.

Chinese Restaurant Menu Exploit (2021)

In several cities across the U.S., attackers placed fake QR code stickers on tables in Chinese restaurants. The codes linked to fraudulent websites that requested credit card details for payment “verification” before viewing the menu. Hundreds of customers unknowingly submitted financial information, leading to identity theft and financial fraud.

Cryptocurrency Wallet Theft via QR Codes (2025)

Cybercriminals targeted users on crypto forums and Discord groups by sharing QR codes that claimed to simplify wallet address input for transactions. Scanning the codes replaced the user’s intended wallet address with the attacker’s, redirecting funds. In some cases, malicious links also prompted wallet key backups to be uploaded, leading to full asset compromise.

Each of these incidents demonstrates how QR codes, while convenient, can be turned into a high-risk vector when paired with social engineering. Quishing doesn’t rely on advanced tech, it relies on people not paying attention.

LINER TRADECRAFT

LINER TRADECRAFT

Quishing is a new attack vector with real consequences. In covert operations, the physical world and cyber world are deeply intertwined. QR codes represent that overlap. They’re silent, cheap, easy to deploy, and hard to trace. That makes them attractive tools for adversaries with time and a specific target.

LINER TRADECRAFT

//   Operational security isn’t just digital. A paper sticker can do more damage than a zero-day exploit.

[INTEL : PDF ‘Virus’ Guide]
[INTEL : Air-Gapped Devices & Systems]
[OPTICS : Quishing Detection]
»   DIY Cybersecurity Auditing: Guide        
»   Ransomware Attack: Defense Guide        
»   PDF ‘Virus’ Guide        

    TAGS   //   , , , , , ,