Think Before You Scan: The Rise of QR Codes in Phishing

QR Codes, the square images that contain coded information that can be scanned by a smartphone, are becoming increasingly popular. With the number of smartphone users reaching 6.92 billion this year, access to the information within these ingenious images is within reach by around 86% of the world’s population. Since most, if not all, of the smartphones today feature QR scanners and for those that don’t come so equipped, free apps can be downloaded to add this functionality.

Quick-Response, a.k.a. QR codes, developed by Denso Wave, were initially used by the automotive industry in the 1990s for their production lines. Since Denso Wave made the source code for this system available publicly in 1994, its popularity rapidly increased. In the year 2000, it was approved by the International Organization for Standardization (ISO) as one of its international standards.

Being open-source, QR code generators have become accessible to anyone with access to the Internet. The increased availability and flexibility of QR codes makes them the perfect tools for cybercriminals to further disguise their malicious links and evade anti-spam filters.

Using images for malicious purposes is not new. Threat actors have been embedding images in phishing emails that contain malicious code. These images are representations of legitimate messages disguised as whole-body content.

Figure 1: Sample messages with embedded images disguised as whole-body content.

Although these image messages appear visually like other phishing messages, the HTML source code underneath is much shorter. This makes it more challenging to detect via conventional filters that heavily rely on message content for blocking as there are fewer red flags present, leaving only the malicious URL visible for detection.

Figure 2: Sample source code SharePoint sample in Figure 1 which shows the embedded image enclosed in an anchor tag.

Threat actors are taking image phishing to the next level by leveraging QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples we have observed using this technique are primarily disguised as Multifactor Authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.

 Figure 3: Sample messages with embedded images with QR code disguised as whole-body content.

Figure 4: Sample source code of image phish that uses QR code which shows the embedded image that is no longer enclosed in an anchor tag.

 Some samples go even further by targeting specific organizations with personalized templates. These contain the victim organization’s logo making it look more legitimate, as below:

Figure 5: Phishing QR Code message with the victim organization logo inserted for realism.

The QR code in this sample contains the following URL [Fig 6] that leverages a Bing.com search result link to evade URL filters. The victim email address can be found at the end of the URL as a base64 encoded string.

Figure 6: Bing.com URL from the phishing QR code.

To verify the abuse of Bing, we made a test search using ‘Trustwave’ as keyword via the search engine, which generated the result below [Fig. 7]. It can be immediately seen from boxed parts of this screen capture that the link provided from this search result is similar to the format we have in Figure 6. Although the threat actors could have done it this way, it is also possible that Bing’s API is used to automatically generate the link used in this phishing attack [Fig. 6].

Figure 7: Screen capture of a test search result for Trustwave from Bing.com.

Figure 8: Full URL taken from the test in Figure 7.

 The Bing URL [Fig 6] then redirects to another URL. Interestingly, this URL had a one-year registration [Fig 9], a common characteristic of domains used by threat actors, to pass the victim’s email address to the next URL.

 Figure 9: Registration information of isirumah[.]info queried from whois.com.

This URL contains the following obfuscated JavaScript code [Fig. 10] which handles the redirection from Bing and tries to capture the last part of the URL [Fig. 6] after the number (#) sign, then passes it to an atob() function converting the base64 string into its text format which is the victim’s email address.

Figure 10: Obfuscated JavaScript code designed to handle bing.com redirections.

The email address is then concatenated to the readable URL strings from the code forming the URL below [Fig. 11]. From this URL we can also see another evasion technique called ‘typosquatting’ which misspelled microsoftonline to rnicrosoftonline which can easily look legitimate for unsuspecting users.

Figure 11: Generated URL from Figure 10.

  This URL is the final redirection as shown below [Fig 12] which mimics the legitimate Single Sign-On (SSO) page of its target company by using specific background image and logo used by the same.

Figure 12: Phishing SSO page that uses organization specific background image and logo.

Finally, signing in through this fake SSO form will send the victim’s email address and password to the threat actors via the URL below.

Placing Malicious QR Codes in PDFs

Another trend is the use of PDF attachments to hide malicious QR codes. In the email sample below, we can see that it no longer has body content, but instead lures its victim into opening the attached PDF file which contains the malicious QR code. Technically, a PDF attachment is nothing new, but this added layer may further increase the email’s evasiveness against anti-spam filters.

Figure 12: Sample message with PDF attachment containing the phishing image.

The PDF, as shown below, instructs its victim to scan the QR code using their mobile phone to set up MFA for their account.

Figure 13: Sample pdf file containing the phishing image with QR code.

The QR code contains a shortened URL under qr[.]codes which then redirects to another URL that hosts the modified Microsoft SSO page under lockvvoodgroup[.]com domain. This appears to be another domain crafted by the threat actors based on its short registration period.

Figure 14: Registration information of lockvvoodgroud[.]com queried from whois.com.

Figure 15: Phishing SSO page that mimics Microsoft SSO.

 Here is another example of social engineering and the use of QR codes in a phishing email. The email lures its victim into accessing the attached HTML file and scanning the QR code within to update their email account.

Figure 16: Mail sample with HTML attachment.

The attached HTML file will display this QR code for the victim to scan, leading to a phishing page.

Figure 17: HTML file displaying an API generated QR code.

Based on the source code [Fig. 18] of the HTML attachment [Fig. 17], the QR code was generated in real-time using an API under the domain qrserver.com which is the API tool of goqr.me.

Figure 18: Source code of the HTML file in Fig. 17.

From goqr, a QR code generating website [Fig. 19], we can see a sample implementation of their API which is the same as the src on the HTML source code [Fig. 18] above.

Figure 19: Free QR code generator used to generate the phishing QR code.

Scanning the generated QR code from Figure 17 will resolve to the following URL which acts as a redirector to the actual phishing page.

The final URL that hosts the phishing page [Fig. 20] mimics a Hotmail login prompting the victim to enter their password. The structure of the final URL shows it is an IPFS domain similar to the phishing campaigns we mentioned in our previous blog.

Figure 20: Phishing page pretending to be a Hotmail login form.

The victim’s user credentials are then passed to the link below once the victim clicks the sign in button. This in turn sends their login information to the hands of the threat actors.

To sum up, the use of QR codes in phishing has seen an increase in popularity recently. Added to that, threat actors are using a more targeted approach with these attacks by adding logos and themes to their templates.

The abuse of Bing search result links is also added to the mix as an additional evasion technique, and PDF attachments are also used to hide the QR codes making them less obvious. Publicly available APIs also can be used to generate phishing QR codes on the fly. These techniques come together to lure unsuspecting victims into scanning the phishing QR code with their mobile phone which may bypass corporate security mechanisms and could pose a serious security threat for organizations.

Raising awareness is key to protecting ourselves from these threats. Organizations should advocate training staff members to be more vigilant when inspecting unexpected emails, in addition to applying strong security measures to protect their network. Trustwave MailMarshal can protect against these types of campaigns by examining many traits when identifying phishing emails. The absence of a visible URL, while significant, is only a part of those traits MailMarshal uses to pin down email born threats.

 References:

• https://www.qrcode.com/en/history/
• https://www.bankmycell.com/blog/how-many-phones-are-in-the-world

 URL IOCs: