By Jeremy Fuchs, Cybersecurity Researcher/Analyst at Check Point Software LTD
Over the summer, we noticed a somewhat unexpected increase in phishing attacks based on QR codes.
The attacks were all quite similar. The main goal was to prompt the end user to scan the QR code, at which point they would be redirected to a credential collection page.
Quite simple, but successful, as many email security solutions lacked QR code protection and many end users are used to scanning QR codes. This is also why we have seen an increase in these attacks 587% between August and September.
Security vendors have worked frantically to develop new protections for these attacks. And, as always, threat actors responded in kind with a new variant of QR code attacks.
In these attacks, hackers use the QR code in a different way. The original request is similar, but where the redirect chain goes is quite different. In short, the link looks at where the user interacts with it and adjusts accordingly. Another link appears if the user is using Ma and another to a user of an Android phone.
The end goal is the same – to install malware on the end user's endpoint while stealing credentials. But by tailoring the destination based on how the end user accesses it, the success rate is much higher.
Over a two-week period in January, we saw a number of such attacks just under 20.000.
In this attack update, Harmony Email researchers report how hackers are taking QR code attacks to the next level.
Table of Contents
The attack
Hackers send QR codes with device-specific conditional routing.
- Vector: Email
- Type: QR Code, Conditional Redirection, Credential Harvesting
- Techniques: BEC 3.0
- Target: Any end user
Email Example
This email starts out as a fairly standard QR code-based phishing attack. The trick is to view your annual 401K contribution statement by scanning the QR code. It will give you your account balance for the year.
The interesting thing about this attack is what happens next.
The QR code has a conditional destination point, based on browser, device, screen size and more. Depending on the parameters, the QR code will direct to a different page.
The link in the email is the same:
However, depending on the destination, the result changes:
Essentially, there are four levels of complexity. One is the QR code itself. The URL embedded in the QR code appears to go to an Apple domain, but instead redirects elsewhere. Then there is a blind redirect to another domain. This domain has automatic checks to see if you are coming from a browser or a scanning engine and will redirect accordingly.
There is also a payload in there that has anti-reverse engineering techniques, so if you try to decrypt it, it will consume infinite resources.
Here is another example. This embeds the QR code into a PDF, which is attached to the email.
This is linked to a series of suspicious activities, again around being linked to a program to continuously drain resources. It also takes you to a fake Microsoft login page.
And here is another variation:
In all of them, the link in the QR code and the link it redirects you to are different.
Technical
Redirection in an attack isn't necessarily new, although its use in QR Codes is fascinating.
By navigating the conditional redirect, hackers are able to increase their success ability. Typically, the default security levels will look at a redirect and if the first one is clean, let it pass. (This happened in this attack).
This is where the power of a comprehensive security solution comes into play. With a comprehensive security solution, multiple layers can work to prevent these attacks.
In this example, an email security solution can block it by looking at suspicious behavior such as first-time sender, text analysis, and more. Browser security can block it by inspecting the site and mimicking any actions. Mobile phone security may block it when actually scanning the QR code. Anti-malware can simulate the file and figure out what will happen. Post-delivery security can constantly look for new information, constantly scanning and parsing the URL.
These attacks are hard to stop because they compromise so many different layers. But having all the levels increases the ability to stop the attack.
Best Practices: Guidelines and Recommendations
To protect against these attacks, security professionals can do the following:
- Implement security that uses artificial intelligence to examine multiple phishing indicators
- Implement security with the ability to decode QR code attacks
- Implement security with multiple levels of protection.