QRLJacking tricks you with fake QR codes to log into fake websites or apps, while Quishing uses QR codes to deceive you into visiting malicious sites or downloading malware.
Quick Response Codes (aka QR Codes) have made life hassle-free for everyone as these versatile codes offer access to everything. However. according to SaaS-based cloud messaging security firm SlashNext, this versatility of QR codes makes them a potential target of exploitation. And, the company has discovered several ways in which threat actors are exploiting QR codes.
Security experts have noted a spike in QR-code-based phishing attacks, highlighting how easy it is to manipulate them. Since the codes can encode complex data and redirect users to external apps/websites, adversaries try to manipulate them. SlashNext’s research revealed two prominent methods threat actors are relying on to exploit QR codes- Quishing and QRLJacking.
Quishing attack is offered on cybercrime forums to facilitate phishing-for-hire services. In this attack, a QR code embedded with malware download or phishing link is circulated on different platforms/channels such as social media, posters, restaurant menus, ads, and phishing emails. When someone scans it, they are redirected either to a phishing website or malware gets downloaded on their devices.
Cofense discovered a similar phishing campaign in August 2023, where attackers used malicious QR codes to target high-profile organizations, including a US energy firm.
QRLJacking (quick response code login jacking) is a social engineering-based method exploiting the login with QR code feature in apps and websites and mostly exploits frequently expiring QR codes. If successful, the attack can lead to a complete account takeover.
In QRLJacking, the adversary creates a phishing site identical to the login page of their targeted website/app and creates a fake QR code. The phishing link is sent to the victim through messaging apps, email, or SMS.
When the code is scanned, they get logged into the bogus session and not the real app, and their sensitive data such as access tokens are stolen. An incident of QRLJacking was reported in August 2023 by cybersecurity researcher Cristian ‘void’ Giustini targeting the Steam gaming platform.
In a blog post, Daniel Kelley of SlashNext wrote that attackers can employ a wide range of techniques to exploit QR codes, such as:
- Phishing: Through phishing attacks, threat actors can exploit QR codes to redirect users to bogus websites mimicking legitimate ones, and lure them into entering sensitive data like financial information or login credentials.
- Malware Distribution: Cybercriminals can embed QR codes with links that deploy malware on the user’s devices and allow them to gain unauthorized access.
- Social Engineering: QR codes can be manipulated to display misleading information/promotion offers to trick users into taking actions that offer monetary benefits to the attacker.
Being cautious is essential to protect yourself against QR code-based attacks. Always scan QR codes from trusted sources and cross-check the destination URL before scanning. Regularly update anti-virus software. Organizations should implement secure QR code generation and management systems and conduct security audits of QR code usage regularly.
- Barcode Reader Apps on Play Store Infected with Adware
- Stream-Jacking: Malicious YouTube Livestreams Aid Malware
- How to make a QR code to accept Bitcoin while keeping it secure
- “Picture in Picture” Technique Exploited in Deceptive Phishing Attack
- Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware