New tricks with QR codes
QR codes are popular vehicles for criminals to smuggle hyperlinks past security systems to their victims. The ingenuity is great.
Security researchers from Barracuda report new tricks using QR codes. The attacks come via email and bypass many of the security scans commonly used in large companies. If the end user then reads their emails with HTML enabled, they can easily become a victim.
QR codes (quick response codes) are popular with criminals because they can be used to encode hyperlinks that people cannot read. This makes it easier to foist false hyperlinks on people. Under a pretext, the target is tricked into scanning the code; they quickly end up on a website controlled by the attacker. This method is used so frequently to harvest other people's access data (phishing) that there is a separate term for phishing with QR codes: Quishing.
Separate files together form an image
An amazingly simple method is to split a misleading QR code into two (or more) parts. These image files are attached to a phishing email, for example. Security systems usually try to evaluate the image files individually, but find nothing useful in the individual QR snippets and let the dangerous message pass.
Using HTML, however, the images can be arranged on the user's device in such a way that they look like a single image - both to the human eye and to the camera of a smartphone. If the target scans the virtually assembled QR code, they are redirected to a fraudulent website where malware or a phishing trap awaits them, for example.
Nesting
The idea of nesting two QR codes inside each other has been around for some time. Which of the two codes is then evaluated by a smartphone depends in particular on the distance between the code and the camera. However, an automated security system will try to evaluate the entire thing.
Barracuda has observed attacks with such interlaced QR codes. One hyperlink contained is completely harmless and points to a search engine, for example, while the other link leads to the trap. The attackers rely on the interlaced codes to mislead the security scanners. The split QR codes are a trick used by the Phishing as a Service toolkit Gabagool; the nested QR codes are a method used by the competitor product Tycoon 2FA.
ASCII code QR
Back in October, Barracuda reported on clever QR codes that do not come in the form of an image file but are made up of ASCII codes. In addition to letters and punctuation marks, the ASCII code also contains all kinds of other characters, including 32 different "blocks", for example.
These are strung together in a matrix. Combined with a Cascading Style Sheet (CSS), which changes the color of individual ASCII characters and sets them to white, for example, text structures can be created that are recognized by smartphones as QR codes but have passed the security scanner undetected. Alternatively, the white spaces can be composed of protected spaces from the ASCII repertoire.
Suspicion displayed
Outside of closed systems, QR codes are always suspicious. We recommend being suspicious of QR codes and only displaying emails as plain text. This may not look so pretty, but it makes a whole range of different monitoring and attack methods more difficult, not just QR code tricks.
Attackers benefit from a special advantage with QR codes: they cannot usually be analyzed with the same device on which they are displayed. Anyone who thinks they need to analyze a QR code displayed on their computer screen will usually reach for their smartphone (although this is not absolutely necessary). And while employers try to use security systems to prevent suspicious URLs from being accessed from work computers, the smartphone used for QR scanning is often private and bypasses the security systems.
This is how phishers achieve uncomfortably high success rates. Unfortunately, anti-phishing training has proven to be largely useless in practice.
Found on https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html