Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Malicious Pixels: Criminals Revamp QR Code Phishing Attacks

Attackers Use ASCII Characters to Create Tough-to-Spot QR Codes, Barracuda Warns
Malicious Pixels: Criminals Revamp QR Code Phishing Attacks
Scammers are finding ways to sneak QR codes through endpoint scanning. (Image: Shutterstock)

Scammers are tweaking their approach to building QR codes to better bypass defenses designed to spot and block nefarious activity.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

Cybersecurity firm Barracuda Networks reports observing a surge in phishing emails that arrive with malicious QR codes built to evade optical character recognition systems designed to block attempts to forward users onto malicious sites.

Attackers are doing this by not attaching an image of a QR code, but rather using ASCII or Unicode "full block" characters - █ - together with Cascading Style Sheets that allow them to display not black and transparent blocks. That combination enables them to build and display a working QR code, created using the expected 49-by-49 pixel matrix.

For security tools that review the contents of messages for signs of fraudulent behavior, the ASCII/Unicode full-block characters will typically look like nonsense text, so they likely won't trip alarms, Barracuda said. The firm "recommends that if security technologies flag the potential use of ASCII QR code in a phishing attack, the easiest option is to take a screen shot of the phishing email and pass it to OCR engine to read the URL behind the QR code."

Criminal innovation underlies the fact that phishing attacks continue to be rife. The most recent report from the Internet Crime Complaint Center, which is run by the FBI and collects reports of internet-enabled crime, says the most reported type of crime in 2023 involved phishing and spoofing via unsolicited emails, text messages and telephone calls.

Barracuda emailed malicious QR codes surged in the fourth quarter of 2023, with about one in 20 mailboxes being targeted. "These attacks generally involved static, image-based QR codes," it said. "Attackers embedded malicious links into the QR code and encouraged users to scan the code, which would then take them to a fake page that appeared to be a trusted service or application."

In response, many anti-phishing toolmakers added OCR scanning of incoming emails, including the ability to interpret QR codes and identify the URL to which they redirected, at which point tools could assess if the destination site was malicious and if so block it.

Another innovation to get around those tools is use of a Blob URI - aka Blob URL or Object URL - to redirect users to malicious sites.

A Blob is a piece of raw data generated in browser - and existing only in memory - which can be read as either text or binary data, and is often used to generate a dynamic URL.

Barracuda said scammers use Blob URIs in phishing campaigns that impersonate major brands, including Air Canada, Capital One and Chase, and which exhort email recipients to click a link to review their accounts. In reality, the link "redirects them to an intermediate phishing page, which creates a Blob URI and quickly redirects the browser to the newly created link address," it said.

"Because Blob URIs don't load data from external URLs, traditional URL filtering and scanning tools may not initially recognize the content as malicious," it said.

Despite the latest QR code trickery being used for phishing campaigns, low-tech exploits also remain common. In the physical realm, scammers continue to cover legitimate QR codes with malicious ones, which are visually impossible for users to differentiate.

Another common scheme is to add QR codes where none would be present.

California's San Francisco Municipal Transportation Agency reported being notified Thursday "of QR code stickers on a machine in Fisherman's Wharf," after which it found "fraudulent" stickers attached to five parking meters. The stickers, which purported to be for a legitimate pay-by-phone service, directed individuals to a malicious URL that the city said "has been disabled."

Per the city's guide to paying with its parking meters, none will have any official or approved type of QR code affixed.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.