The column – Cyber Security Week
The most precious thing we have today is not information: it is attention. And right there, in the narrow habit and habit, the quishing slips: the phishing that has learned to leave the screen and to take air air. The gesture is trivial: come down from the car, frame a QR, pay the stop. The brain is already elsewhere, meeting, messages, children, “two minutes and back”, and the finger performs. It is the exact point where the interface wins on the object.
The mechanism is simple and therefore effective: adhesives well made, with logos and colors of the parking services parking services (EasyPark, MooneyGo, Tap & Park, etc.), stuck on royal parks; The QR takes you to a criminal site, where you fill out everything: registry, plaque, paper number, deadline, CVC/CVV, telephone, address. Thus the data end up on infrastructures controlled by the scammers and feed micro-adubbits or future social engineering attempts (new users, contracts, etc.). Episodes were recorded in many Italian and European cities: the genius of evil is not needed, a good adhesive and our distraction is enough.
The colleague Leopoldo Comparin who, like me, struggles for years against these phenomena reports to me that the situation is becoming increasingly serious. Through passive monitoring in an isolated environment, loading fictitious data to trace the flows and map the infrastructure, it has seen an international network with nodes in the Netherlands, masking host in the USA, the use of different tactics and well -known criminal techniques, thirteen techniques and four tactics. The fraudulent pages exploited apparently legitimate certificates and camouflage techniques. Finally, no less disturbing fact seems that the criminals were developing a spyware to intercept SMS and banking notifications. We stop at this point because following an complaint-report, the postal police are investigating specifically.
Rather let’s ask ourselves why does it work? Because our attention, constantly pulled for the jacket, trains us to immediately respond to any stimulus looks familiar. Quishing uses a perfect triangle: legitimate place + recognizable logo + automatic gesture. The context guarantees the adhesive; The brand guarantees the site; The gesture is daily and guarantees the entire operation. All while we are paying “with the mind in the background”. The result is an absent presence: the body is in front of the fee, but the mind is already in a meeting.
Here is grafted the wider speech that I often find myself doing: we are biologically inadequate to the digital risk that lives “beyond the screen”. We react well to what is seen and makes noise; Much less to an almost-hydentic domain, to a “green” certificate, to a form that asks “only” a CVC. Quishing brings phishing to the world that we believe to master – the road, the parking meter, the routine – and he returns it to us disguised as normal. And we, recognizing normality, turn off the brain.
What to do without transforming every stop into an interrogation? Recover a minimum of materiality of the control in three sober gestures: do not scan QR glued on “too new” stickers or without official brands; Open the app already installed by the stores and start the payment from there (or type the known domain); Treat plate, telephone and paper as something that matters, not as details. If the QR promises a quick slide, friction is our friend: five seconds of control are worth more than five hours with the bank.
Institutions and managers touched the rest: clear panels, clearly visible domains, official channels learned such as road plates, physical control of parcometers and quick removal of stickers. It is a fight against the scam, but also perceptual literacy: resuming the habit of looking and see you really see.
After all, the quishing trap is not the black and white square: it is we in gray scale, suspended between haste and trust. If attention is commodity, safety is the set of all those moments that should not be on sale.
