Attack Techniques: QR Codes

Posted byericlawPosted insecurity, webTags:,

As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block email that is believed to contain phishing links. If your enterprise uses Microsoft Defender for Office, or you subscribe to Microsoft 365 Family, all inbound hyperlinks through Microsoft email services are rewritten to navigate through the “SafeLinks” service that performs another real-time check for malicious URLs whenever a user clicks on them.

To avoid security software, attackers try to hide URLs, using techniques like asking the user to retype URLs from an image, or sticking the link inside a password-protected PDF document, or avoid URLs by asking the user to call a phone number or send a reply email containing sensitive information.

Another technique is to send the user a QR Code. A QR Code is simply a picture that can be converted into the URL using the camera app on our now-ubiquitous mobile phones.

This QR Code points to a blog post

Users are increasingly accustomed to using QR Codes for legitimate purposes, so their use in attack scenarios won’t stand out as much as it once would have.

How does this URL-obfuscation technique benefit an attacker over a plain hyperlink?

  • Mail software can’t rewrite QR codes, so features like Microsoft SafeLinks won’t apply.
  • The use of a QR Code allows an attacker to cause the attack flow to move from a well-protected desktop to a less-protected mobile device.

    For example, users might be using a mobile web browser with weaker real-time anti-phishing reputation services than the browser on their desktop.

    That mobile browser may not be configured to proxy traffic through a secure proxy.

    Similarly, a user’s personal device might not include a password manager, making the attacker’s request for manually-typed credentials more plausible.

Someone recently tried to phish a Microsoft CTO via this approach:

Here’s a news article about a recent attack using the QR Code vector.

Update: In December 2023, the Microsoft Defender for Office 365 team outlined some of their protections against QR code phishing.

Stay safe out there — treat any QR codes received via SMS or email with extra caution. Carefully examine the url in any preview your camera app offers and check the browser’s address bar to see the final URL, because open redirectors are common, so the preview URL may be misleading.

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity.

2 thoughts on “Attack Techniques: QR Codes

  1. I can’t believe that the iPhone has no url preview for scanned QR codes – it just opens them. You would really hope the big companies were more on top of these attack vectors.

    Reply

    1. In fairness to Apple, the original URL could easily be misleading (Google, Bing, LinkedIn, etc, all run effectively open-redirectors), so the “preview” itself could be misleading.

      Reply

Leave a comment