QR code phishing has been a favorite tactic for adversaries for some time now. We regularly see QR codes in our Attack Spotlights and they’ve been a featured tactic in past threat reports. There are a few reasons QR code phishing is only getting more popular for attackers.
- QR codes are ubiquitous. People will often scan QR codes without giving a second thought to where they’ll be sent.
- QR codes pivot targets off of their secure laptops. InfoSec and IT teams control employee laptops, but not personal cell phones. By moving the target to their phone, adversaries lower some guardrails.
- QR codes obfuscate link destinations. This is helpful for deceiving people and evading analysis. People may not look closely at the address that pops up on their phone before navigating to a page. Some security scanners may not be able to scan the QR code at all.
- QR codes can be buried within attachments. Attackers will make it harder for security scanners by putting a QR code in an attached PDF. They could further layer their evasions by putting the PDF within an attached EML.
In recent years, though, QR code attacks have evolved. Now the most complicated problem is that QR codes can be hidden from security in plain sight.
This is what we’re going to look at in this blog. When a human holds their phone up to a QR code, they’ll adjust the camera for a few seconds until it finally captures the destination. Security scanners have to operate in millisecond speed, so attackers will tweak QR codes to make them more difficult to scan. Humans will persist for 10 seconds. An automated scanner will not.
With that in mind, we’re going to first take a quick technical look at how we shut down advanced QR evasions and then we’ll get into some of the interesting evasion tactics we’ve seen in the wild. All samples will be partially obfuscated for safety.
Modern QR code security analysis in Sublime
To unmask manipulated QR codes, we iteratively use two QR code scanners and multiple image processing techniques. If a QR can’t be resolved by the first scanner, we pass it to the next. If it can’t be resolved by the second, it’s sent through a range of image processing techniques to improve readability. After that, it’s re-run through the analyzer(s) one more time.
Our early implementation of QR code analysis involved a single QR code scanner and minimal image manipulation. By moving to this iterative process with the latest scanners, we saw a ~30% improvement in resolving manipulated QR codes – all without sacrificing performance. We even temporarily ran both processes in tandem to verify that there weren’t added misses with the new process.
Let’s take a look at some of the image manipulation techniques we needed to solve for.
Low contrast
QR codes are black and white by design. To be as easily readable as possible, QR codes need to be high contrast. Black on white is as high of contrast as it gets. On the flip side, attackers want low contrast QR codes to fool scanners. To achieve this, they can darken images and change colors to manipulate contrast levels.
This first example is the most commonly seen way of manipulating QR code contrast. By changing the background color of the QR code from white to green, the adversary is changing the contrast levels.
For added evasion, the attacker put the QR code within an attached PDF. The PDF was disguised as an updated employee handbook from HR and it impersonates a Docusign document
This next example was delivered via an impersonated Microsoft Teams notification about a voicemail. Fake voicemail notifications have been steadily growing in popularity as delivery tactic. This one has both colors changed, but still kept the background in grayscale.
Finally, here’s an example in which the attack changed both of the QR colors. This QR code vibrates so hard it’s tough to even look at.
Image skewing
This is a fairly standard expired password scam, but it used a unique QR code to evade scanners. By skewing the aspect ratio, the attackers was able to create a squished QR code that was easily read by a cellphone with time to spare, but would bypass some of the more common QR scanner packages.
ASCII rendering
ASCII-rendered QR codes are the lesser used sibling of HTML-rendered. By creating the QR code with ASCII characters, an attacker is attempting to evade scanners looking for QR codes as images. This is why Sublime takes screenshots of each message and analyzes them with computer.
If we copy the characters into a text editor, we can more clearly see that this is ASCII. These lines are enough to confuse some QR code scanners:
Incomplete image
In this password reset scam, the attacker simply cut the bottom off of the QR code to try to trick scanners.
Split image
This last evasion method is tricky because it doesn’t rely on a trick that could be visibly recognized by a target. In this attack, the adversary stacked a few tactics. They impersonated a company (trust), sent a phony salary increase document (financial incentive) in an attached PDF, and changed the color of the QR code to evade security.
But they did one other thing. While the color change is for evading visual scanners, the attacker also split the QR code into two separate images to evade file-based scanners. Extracting the contents of the PDF reveals that the QR code is a composite of two separate images placed side by side:
A simple way to see this yourself is with a tool like CyberChef. Just drop in a PDF and use the Extract Files operation to see all the files within the PDF:
While this is an effective evasion tactic for file-based scanners, Sublime also applies ML-powered computer vision during analysis in order to read the QR code as it visually appears. In fact, splitting this QR code in two only made it more suspicious, as there is no non-malicious reason to split a QR code into multiple files.
ASA, Sublime’s Autonomous Security Analyst, flagged all of the above emails as malicious. Here is ASA’s analysis summary for this last example. Notice how ASA recognized the split QR code as a signal of malicious intent:
Crack the QR phishing code
As security solutions close gaps, attackers evolve their attacks. This means Sublime is always looking into improving our QR code security analysis, so we can get a jump on the next attack evolution. If you want to try it for yourself, start your free account or get a live demo.
If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.
Read more Attack Spotlights:
Get the latest
Sublime releases, detections, blogs, events, and more directly to your inbox.
.svg)
.avif)
