Cybercrime , Endpoint Security , Fraud Management & Cybercrime
Malicious Pixels: Criminals Revamp QR Code Phishing Attacks
Attackers Use ASCII Characters to Create Tough-to-Spot QR Codes, Barracuda WarnsScammers are tweaking their approach to building QR codes to better bypass defenses designed to spot and block nefarious activity.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Cybersecurity firm Barracuda Networks reports observing a surge in phishing emails that arrive with malicious QR codes built to evade optical character recognition systems designed to block attempts to forward users onto malicious sites.
Attackers are doing this by not attaching an image of a QR code, but rather using ASCII or Unicode "full block" characters - █ - together with Cascading Style Sheets that allow them to display not black and transparent blocks. That combination enables them to build and display a working QR code, created using the expected 49-by-49 pixel matrix.
For security tools that review the contents of messages for signs of fraudulent behavior, the ASCII/Unicode full-block characters will typically look like nonsense text, so they likely won't trip alarms, Barracuda said. The firm "recommends that if security technologies flag the potential use of ASCII QR code in a phishing attack, the easiest option is to take a screen shot of the phishing email and pass it to OCR engine to read the URL behind the QR code."
Criminal innovation underlies the fact that phishing attacks continue to be rife. The most recent report from the Internet Crime Complaint Center, which is run by the FBI and collects reports of internet-enabled crime, says the most reported type of crime in 2023 involved phishing and spoofing via unsolicited emails, text messages and telephone calls.
Barracuda emailed malicious QR codes surged in the fourth quarter of 2023, with about one in 20 mailboxes being targeted. "These attacks generally involved static, image-based QR codes," it said. "Attackers embedded malicious links into the QR code and encouraged users to scan the code, which would then take them to a fake page that appeared to be a trusted service or application."
In response, many anti-phishing toolmakers added OCR scanning of incoming emails, including the ability to interpret QR codes and identify the URL to which they redirected, at which point tools could assess if the destination site was malicious and if so block it.
Another innovation to get around those tools is use of a Blob URI - aka Blob URL or Object URL - to redirect users to malicious sites.
A Blob is a piece of raw data generated in browser - and existing only in memory - which can be read as either text or binary data, and is often used to generate a dynamic URL.
Barracuda said scammers use Blob URIs in phishing campaigns that impersonate major brands, including Air Canada, Capital One and Chase, and which exhort email recipients to click a link to review their accounts. In reality, the link "redirects them to an intermediate phishing page, which creates a Blob URI and quickly redirects the browser to the newly created link address," it said.
"Because Blob URIs don't load data from external URLs, traditional URL filtering and scanning tools may not initially recognize the content as malicious," it said.
Despite the latest QR code trickery being used for phishing campaigns, low-tech exploits also remain common. In the physical realm, scammers continue to cover legitimate QR codes with malicious ones, which are visually impossible for users to differentiate.
Another common scheme is to add QR codes where none would be present.
California's San Francisco Municipal Transportation Agency reported being notified Thursday "of QR code stickers on a machine in Fisherman's Wharf," after which it found "fraudulent" stickers attached to five parking meters. The stickers, which purported to be for a legitimate pay-by-phone service, directed individuals to a malicious URL that the city said "has been disabled."
Per the city's guide to paying with its parking meters, none will have any official or approved type of QR code affixed.