Quick response (QR) code phishing is not a new technique, however, email phishing campaigns abusing this technology surged in the second quarter of 2023. The reason appears to be the usual motivation for the modification of tactics, techniques and procedures (TTPs) on the part of cybercriminals: improving return on investment. With email spam and phishing campaigns, attackers want to increase the number of victims that interact with their malicious messages. Testing old techniques to rejuvenate new attacks is not uncommon. Security technologies may miss, and users — who became more accustomed to using QR codes during the pandemic — may be more receptive to using their phone to scan them. Thus, QR codes that are encoded to lead to phishing websites are yet another way to attempt to collect a user’s login credentials or lead them to malware.
QR codes are advantageous to attackers. First, malicious links plainly pasted into emails are easily detected by security software. QR codes that lead to a malicious website add a layer of abstraction. Email security provider Proofpoint recently wrote that this renders some security scans ineffective. Proofpoint works around this obfuscation by using optical character recognition (OCR) to extract the link from the QR code and then conduct the regular reputation and blocklist checks. But OCR is resource intensive and difficult to scale, so not all security technologies may do this. Other techniques used to bypass security technologies include embedding QR codes in images, within attachments such as portable document format (PDF) files and encoding legitimate network infrastructure in the QR code. Some phishing-as-a-service (PhaaS) kits have incorporated the ability to dynamically generate QR codes and insert them into phishing messages, which helps automate processes for threat actors interested in using the codes.
To trick people into interacting with QR codes, threat actors may try to impart a sense of urgency to victims. Also, QR code phishing may employ the logos of legitimate services to add a veneer of legitimacy. The second advantage is that QR codes are usually scanned by a person’s mobile device. Depending on the organization, that device may be a personal one that runs outside the organization’s security boundaries, making the organization lose visibility into a person visiting a phishing link. This post will explore some of the observations we’ve seen around QR code phishing and discuss mitigations strategies.
Phishing Campaign Harvesting Microsoft Login Credentials
In August 2023, open source reporting described a major email phishing campaign that attempted to lure users into updating their Microsoft 365 accounts by scanning a QR code. Victims who scanned the code were redirected to a phishing page designed to harvest login credentials. The initial attacks were spotted in May 2023. We analyzed some of the phishing emails associated with this campaign and observed the operator or operators apparently executed account takeover (ATO) attacks to start a chain reaction where a compromised email account was used to send further phishing emails. This typically is done to increase the reliability of the attack and bypass email security technologies since the emails originate from a trusted source.
A practical example was observed from a phishing email sent June 5, 2023, to an employee of a Spain-based energy producer. The email originated from a legitimate contact from a peer-to-peer (P2P) lending platform. The phishing email attempted to create a sense of urgency to push the victim to update the security of their email account, a process that would start by scanning a QR code.
The entire email body consisted of a single image incorporating the message and QR code. This was an attempt to bypass email security technologies that rely on text-based detection or do not have the capability to scan the QR code. Further research into the phishing message allowed us to discover the QR code payload consisted of a legitimate Bing URL rather than a typical malicious link. However, the Bing URL was just the first stop in a chain of four redirects that lead to a Microsoft Office 365 phishing page as illustrated in the image below.
Analysis of the “483” command and control (C2) server revealed this infrastructure was used for about one year for malicious purposes and led us to identify hundreds of stolen login credentials impacting about 55 unique victim organizations. The victim organizations were part of multiple industries such as aviation, retail, telecommunications, engineering, power, oil, hospitality, industrial automation, real estate and professional services and primarily operated in Canada, the U.K. and the U.S. We also identified similar network infrastructure that had overlapping characteristics with the 483 host, all hosted at a virtual private server (VPS) provider. The C2 server observed in this campaign included a text string that was apparently a reference to the kit’s developer or operator. However, a thorough analysis of the phishing pages and C2 server revealed different phishing kits that were broadly copied and modified in the underground by at least five other threat actors.
QR Code Login Jacking Attacks
A new twist on QR code phishing came in July 2023 from Kuba Gretzky with a toolkit called EvilQR. Gretzky is a security researcher who developed Evilginx, a reverse proxy used in conjunction with phishing to snatch session cookies. EvilQR executes a so-called QR code login jacking (QRLJacking) attack on services that allow sign-in via a QR code. Many services such as WhatsApp, Discord, TikTok and more offer this form of sign-in. The QR code is a dynamically generated session token, which — if authorized by a person’s mobile phone — is then paired with the user’s account. EvilQR grabs these QR codes from a service’s site using a browser extension and then immediately pipes it to a phishing site. If a victim scans the code, the attacker gets immediate access to the account.
The image below is a frame collected from a demonstration proof-of-concept (PoC) video Gretzky released to illustrate how the new tool works. At the site on the left, a browser extension used by the attacker will dynamically collect the sign-in QR code and upload it to the phishing page at the right side. If the victim already is logged in to the target platform and scans the QR code, a dynamically generated session token is created, authorizing the actor to take over the session.
Adversary-in-the-middle (AITM) attacks are a mainstay of the underground and enable threat actors to bypass the ever-increasing implementation of multifactor authentication (MFA). With the uptick in QR phishing, the tactics illustrated by Evilginx likely will become more commonplace unless effective mitigation measures are widely adopted.
PhaaS Provider Discusses QR Code Login Jacking
On Feb. 9, 2023, the actor PR0PH3CY* (*threat actor names have been changed to fictitious ones), a well-known PhaaS provider, shared insights on a similar but less dynamic QRLJacking method in phishing landing pages. The actor’s method consisted of intercepting a QR code via a phishing panel with interactive capabilities to manipulate victims. This was achieved via a graphic interchange format (GIF) image to trick victims into thinking it was the original QR code. The actor then would receive a notification of a new victim on Telegram, modify the original QR code image by adding information the victim could not identify directly such as Base64-encoded information and update the phishing page with the new QR code. Despite the actor’s knowledge of QRLJacking, PR0PH3CY’s PhaaS did not include any updates to support QR codes at the time of this report. Although the actor showed no signs of implementing this functionality, PR0PH3CY likely will be forced to update the offering to include support for QR codes in the future to avoid losing users to other PhaaS programs that do provide the capability.
Assessment
Our insights from the underground corroborated open source reports about an increase in social-engineering attacks abusing QR codes, especially with techniques involving phishing emails designed to harvest login credentials. At least one PhaaS provider updated the product following customer demands, and the widely used Evilginx framework released a new tool designed to automate QRLJacking attacks. A relevant group of threat actors engaged in phishing attacks continue to test phishing themes and methods to bypass security technologies and guarantee the phishing emails will reach the inbox of targeted individuals.
We acknowledge the topic still is trending in the underground, and threat actors likely will persist in identifying effective methods to successfully execute their attacks. Therefore, it is essential to know the main adversaries and their capabilities to improve defensive strategies. One of the main concerns with QR code phishing is the fact that lured employees use a mobile device to scan the QR code, leading them outside of corporate protections, which represents a higher risk.
QR codes are vulnerable by design, since no authentication method was created to validate the type of information encoded in them. In 2017, researchers from the University of Oslo introduced the Quick Response Code Secure (QRCS) concept — a server-client architecture that relies on digital signatures to provide integrity and authenticity to QR codes. While no mainstream solution was designed for such validation, it is necessary to take some precautions, and a solution such as the one introduced in 2017 likely will be required to combat QR phishing attacks on a large scale.
Recommendations
Despite the implementation of QR codes in phishing campaigns, this attack method still requires victims to interact or disclose information for a compromise to take place. Therefore, awareness is a vital factor in defending against phishing campaigns. Organizations are encouraged to:
Avoid providing further information if the information retrieved from a QR code is not human readable, such as in Base64 format. Inform employees they should not interact with such QR codes.
Verify if your mobile device provides information to the domain that will be open when accessing a QR code.
Review email security technologies. Identify available technology capable of detecting QR codes carrying malicious information such as phishing URLs, malicious QR codes embedded in PDF files and malicious QR codes delivered as a single image in an email body.
Train employees to identify the nuances of phishing emails using QR codes as a theme. Highlight how QR codes work, identification of QR code payloads and the risk of blindly trusting QR codes with logos, providing examples such as those in this report.
Educate employees on the risks of accessing websites outside corporate boundaries, as QR codes trick users into scanning them with a mobile device.
Use mobile device management (MDM) technologies to monitor malicious activity on mobile devices.
Track long-term phishing campaigns. Defenders can review logs from email security technologies to identify and track the reuse of phishing themes and monitor for new campaigns.
Recommend users notify the information technology (IT) support team of concerns or questions.
