CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Think Before You Scan: The Rise of QR Codes in Phishing

QR Codes, the square images that contain coded information that can be scanned by a smartphone, are becoming increasingly popular. With the number of smartphone users reaching 6.92 billion this year, access to the information within these ingenious images is within reach by around 86% of the world’s population. Since most, if not all, of the smartphones today feature QR scanners and for those that don’t come so equipped, free apps can be downloaded to add this functionality.

Quick-Response, a.k.a. QR codes, developed by Denso Wave, were initially used by the automotive industry in the 1990s for their production lines. Since Denso Wave made the source code for this system available publicly in 1994, its popularity rapidly increased. In the year 2000, it was approved by the International Organization for Standardization (ISO) as one of its international standards.

Being open-source, QR code generators have become accessible to anyone with access to the Internet. The increased availability and flexibility of QR codes makes them the perfect tools for cybercriminals to further disguise their malicious links and evade anti-spam filters.

Using images for malicious purposes is not new. Threat actors have been embedding images in phishing emails that contain malicious code. These images are representations of legitimate messages disguised as whole-body content.

ThinkBeforeYouScanPicture1Figure 1: Sample messages with embedded images disguised as whole-body content.

Although these image messages appear visually like other phishing messages, the HTML source code underneath is much shorter. This makes it more challenging to detect via conventional filters that heavily rely on message content for blocking as there are fewer red flags present, leaving only the malicious URL visible for detection.

ThinkBeforeYouScanPicture2

Figure 2: Sample source code SharePoint sample in Figure 1 which shows the embedded image enclosed in an anchor tag.

Threat actors are taking image phishing to the next level by leveraging QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples we have observed using this technique are primarily disguised as Multifactor Authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.

ThinkBeforeYouScanPicture3

 Figure 3: Sample messages with embedded images with QR code disguised as whole-body content.

 

ThinkBeforeYouScanPicture4

Figure 4: Sample source code of image phish that uses QR code which shows the embedded image that is no longer enclosed in an anchor tag.

 Some samples go even further by targeting specific organizations with personalized templates. These contain the victim organization’s logo making it look more legitimate, as below:

ThinkBeforeYouScanPicture5

Figure 5: Phishing QR Code message with the victim organization logo inserted for realism.

The QR code in this sample contains the following URL [Fig 6] that leverages a Bing.com search result link to evade URL filters. The victim email address can be found at the end of the URL as a base64 encoded string.

hxxps://www[.]bing[.]com/ck/a?!&&p=e9085e096df3a5beJmltdHM9MTY4MzMzMTIwMCZpZ3VpZD0yNTFiM2IyMy1lZTc3LTY0ZmYtMzNkZS0yODJiZWY3NzY1YTEmaW5zaWQ9NTE1Mw&ptn=3&hsh=3&fclid=251b3b23-ee77-64ff-33de-282bef7765a1&u=a1aHR0cHM6Ly9pc2lydW1haC5pbmZvL2Fib3V0LXVzLw&ntb#[victim email address encoded in base64] 

Figure 6: Bing.com URL from the phishing QR code.

To verify the abuse of Bing, we made a test search using ‘Trustwave’ as keyword via the search engine, which generated the result below [Fig. 7]. It can be immediately seen from boxed parts of this screen capture that the link provided from this search result is similar to the format we have in Figure 6. Although the threat actors could have done it this way, it is also possible that Bing’s API is used to automatically generate the link used in this phishing attack [Fig. 6].

ThinkBeforeYouScanPicture6Figure 7: Screen capture of a test search result for Trustwave from Bing.com.

https://www[.]bing[.]com/ck/a?!&&p=c0952669c536841bJmltdHM9MTY5MjE0NDAwMCZpZ3VpZD0wMzkzNTc0NS04YmRlLTZhYTQtMjI2MS00NmU1OGFjMDZiMjkmaW5zaWQ9NTQ3MA&ptn=3&hsh=3&fclid=03935745-8bde-6aa4-2261-46e58ac06b29&u=a1aHR0cHM6Ly93d3cuYmluZy5jb20vYWxpbmsvbGluaz91cmw9aHR0cHMlM2ElMmYlMmZ0cnVzdHdhdmUuY29tJTJmZW4tdXMlMmZjb21wYW55JTJmY29udGFjdCZzb3VyY2U9c2VycC1sb2NhbCZoPTNPczJuNmZlcXJDdmgyQlNCd1NtdXNHMmdhWXZBeSUyZk5IVmZGYlRLRCUyYkIwJTNkJnA9bHdfZ2J0JmlnPTlGM0JENkI4QTcyNTQ4NkFCMjcxQTkzNkEyN0I4MDc4JnlwaWQ9WU44NzN4ODQ5NTEzMDUxNDE0ODIxMTU4NA&ntb=1

Figure 8: Full URL taken from the test in Figure 7.

 The Bing URL [Fig 6] then redirects to another URL. Interestingly, this URL had a one-year registration [Fig 9], a common characteristic of domains used by threat actors, to pass the victim’s email address to the next URL.

hxxps://isirumah[.]info/about-us/

 ThinkBeforeYouScanPicture7

 Figure 9: Registration information of isirumah[.]info queried from whois.com.

This URL contains the following obfuscated JavaScript code [Fig. 10] which handles the redirection from Bing and tries to capture the last part of the URL [Fig. 6] after the number (#) sign, then passes it to an atob() function converting the base64 string into its text format which is the victim’s email address.

ThinkBeforeYouScanPicture8

Figure 10: Obfuscated JavaScript code designed to handle bing.com redirections.

The email address is then concatenated to the readable URL strings from the code forming the URL below [Fig. 11]. From this URL we can also see another evasion technique called ‘typosquatting’ which misspelled microsoftonline to rnicrosoftonline which can easily look legitimate for unsuspecting users.

hxxps://login-rnicrosotfonline-nserviceportal-servercommon-oauth2-v23[.]powerappsportals[.]com/common-i650f8f03-oauth2-i5759964ab99CaaBAa06867BaA409C46Ab-authorize-748308Ba49b66bcc32ccACcc6b3/?cfg=[decoded victim email address]

Figure 11: Generated URL from Figure 10.

  This URL is the final redirection as shown below [Fig 12] which mimics the legitimate Single Sign-On (SSO) page of its target company by using specific background image and logo used by the same.

ThinkBeforeYouScanPicture9

Figure 12: Phishing SSO page that uses organization specific background image and logo.

Finally, signing in through this fake SSO form will send the victim’s email address and password to the threat actors via the URL below.

hxxps://bc1qx0anrq4v2aftl3eg22rfnyump7wxln2e7ld60a[.]com/api/v3/login

 

Placing Malicious QR Codes in PDFs

Another trend is the use of PDF attachments to hide malicious QR codes. In the email sample below, we can see that it no longer has body content, but instead lures its victim into opening the attached PDF file which contains the malicious QR code. Technically, a PDF attachment is nothing new, but this added layer may further increase the email’s evasiveness against anti-spam filters.

ThinkBeforeYouScanPicture10

Figure 12: Sample message with PDF attachment containing the phishing image.

The PDF, as shown below, instructs its victim to scan the QR code using their mobile phone to set up MFA for their account.

ThinkBeforeYouScanPicture11

Figure 13: Sample pdf file containing the phishing image with QR code.

The QR code contains a shortened URL under qr[.]codes which then redirects to another URL that hosts the modified Microsoft SSO page under lockvvoodgroup[.]com domain. This appears to be another domain crafted by the threat actors based on its short registration period.

ThinkBeforeYouScanPicture12

Figure 14: Registration information of lockvvoodgroud[.]com queried from whois.com.

 ThinkBeforeYouScanPicture13

Figure 15: Phishing SSO page that mimics Microsoft SSO.

 Here is another example of social engineering and the use of QR codes in a phishing email. The email lures its victim into accessing the attached HTML file and scanning the QR code within to update their email account.

ThinkBeforeYouScanPicture14

Figure 16: Mail sample with HTML attachment.

The attached HTML file will display this QR code for the victim to scan, leading to a phishing page.

ThinkBeforeYouScanPicture15

Figure 17: HTML file displaying an API generated QR code.

Based on the source code [Fig. 18] of the HTML attachment [Fig. 17], the QR code was generated in real-time using an API under the domain qrserver.com which is the API tool of goqr.me.

ThinkBeforeYouScanPicture16

Figure 18: Source code of the HTML file in Fig. 17.

From goqr, a QR code generating website [Fig. 19], we can see a sample implementation of their API which is the same as the src on the HTML source code [Fig. 18] above.

 

ThinkBeforeYouScanPicture17

Figure 19: Free QR code generator used to generate the phishing QR code.

Scanning the generated QR code from Figure 17 will resolve to the following URL which acts as a redirector to the actual phishing page.

hxxps://kamsaridevelopment[.]com#[victim email address]

 

The final URL that hosts the phishing page [Fig. 20] mimics a Hotmail login prompting the victim to enter their password. The structure of the final URL shows it is an IPFS domain similar to the phishing campaigns we mentioned in our previous blog.

 

hxxps://bafybeiatig7bsbj3awxopocfjayzyv5jxhrhgyjqkxrdz5sxikrpftt4am[.]ipfs[.]dweb[.]link/eddom-home.html#[victim email address]

 

ThinkBeforeYouScanPicture18

Figure 20: Phishing page pretending to be a Hotmail login form.

The victim’s user credentials are then passed to the link below once the victim clicks the sign in button. This in turn sends their login information to the hands of the threat actors.

hxxps://viajalejos[.]net/zon.php

 

To sum up, the use of QR codes in phishing has seen an increase in popularity recently. Added to that, threat actors are using a more targeted approach with these attacks by adding logos and themes to their templates.

The abuse of Bing search result links is also added to the mix as an additional evasion technique, and PDF attachments are also used to hide the QR codes making them less obvious. Publicly available APIs also can be used to generate phishing QR codes on the fly. These techniques come together to lure unsuspecting victims into scanning the phishing QR code with their mobile phone which may bypass corporate security mechanisms and could pose a serious security threat for organizations.

Raising awareness is key to protecting ourselves from these threats. Organizations should advocate training staff members to be more vigilant when inspecting unexpected emails, in addition to applying strong security measures to protect their network. Trustwave MailMarshal can protect against these types of campaigns by examining many traits when identifying phishing emails. The absence of a visible URL, while significant, is only a part of those traits MailMarshal uses to pin down email born threats.

 References:

 URL IOCs:

hxxps://www[.]bing[.]com/ck/a?!&&p=e9085e096df3a5beJmltdHM9MTY4MzMzMTIwMCZpZ3VpZD0yNTFiM2IyMy1lZTc3LTY0ZmYtMzNkZS0yODJiZWY3NzY1YTEmaW5zaWQ9NTE1Mw&ptn=3&hsh=3&fclid=251b3b23-ee77-64ff-33de-282bef7765a1&u=a1aHR0cHM6Ly9pc2lydW1haC5pbmZvL2Fib3V0LXVzLw&ntb#[victim email address encoded in base64]

hxxps://isirumah[.]info/about-us/

hxxps://login-rnicrosotfonline-nserviceportal-servercommon-oauth2-v23[.]powerappsportals[.]com/common-i650f8f03-oauth2-i5759964ab99CaaBAa06867BaA409C46Ab-authorize-748308Ba49b66bcc32ccACcc6b3/?cfg=[victim email address]

hxxps://bc1qx0anrq4v2aftl3eg22rfnyump7wxln2e7ld60a[.]com/api/v3/login

hxxps://qr[.]codes/hlrYHI

hxxps://lockvvoodgroup[.]com/6913b3d2305481eab1949b82cc67055a64c08901925f1LOG6913b3d2305481eab1949b82cc67055a64c08901925f2

hxxps://kamsaridevelopment[.]com#[victim email address]

hxxps://bafybeiatig7bsbj3awxopocfjayzyv5jxhrhgyjqkxrdz5sxikrpftt4am[.]ipfs[.]dweb[.]link/eddom-home.html#[victim email address]

hxxps://viajalejos[.]net/zon.php

 

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More