New Generation of Malicious QR Codes Uncovered by Researchers
Summary:
Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret. While these text-based QR codes visually resemble legitimate QR codes to users, they appear as meaningless text to OCR-based defenses, which are commonly used by security tools to scan for malicious content.
In one technique, attackers craft emails with QR codes made from a 49x49 matrix of "full block" characters, giving the illusion of a legitimate QR code while evading OCR detection. Another evasive method involves using binary large object (Blob) universal resource identifiers to create phishing pages. Blob URIs allow the manipulation of binary data, such as images or files, directly within a web browser without needing to interact with external servers. Since Blob URIs don’t rely on external URLs, traditional URL filtering tools may fail to identify them as threats. Additionally, Blob URIs are dynamically created and can expire quickly, further complicating detection and analysis.
Security Officer Comments:
Barracuda researchers have yet to observe these two techniques used together. Typically, traditional QR code phishing attacks embed malicious links within a QR code image, which security tools can scan for known harmful URLs. However, these new tactics are designed to circumvent such scanning by either making the QR code unreadable by image-based detection systems or disguising malicious content through dynamic, hard-to-track Blob URIs.
Suggested Corrections:
Enhance Email Filtering Systems:
Educate Employees on Phishing Risks:
Utilize Multi-Layered Security:
Block Unknown Blob URIs:
Link(s):
https://www.infosecurity-magazine.com/news/new-gen-malicious-qr-codes/
https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri
Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret. While these text-based QR codes visually resemble legitimate QR codes to users, they appear as meaningless text to OCR-based defenses, which are commonly used by security tools to scan for malicious content.
In one technique, attackers craft emails with QR codes made from a 49x49 matrix of "full block" characters, giving the illusion of a legitimate QR code while evading OCR detection. Another evasive method involves using binary large object (Blob) universal resource identifiers to create phishing pages. Blob URIs allow the manipulation of binary data, such as images or files, directly within a web browser without needing to interact with external servers. Since Blob URIs don’t rely on external URLs, traditional URL filtering tools may fail to identify them as threats. Additionally, Blob URIs are dynamically created and can expire quickly, further complicating detection and analysis.
Security Officer Comments:
Barracuda researchers have yet to observe these two techniques used together. Typically, traditional QR code phishing attacks embed malicious links within a QR code image, which security tools can scan for known harmful URLs. However, these new tactics are designed to circumvent such scanning by either making the QR code unreadable by image-based detection systems or disguising malicious content through dynamic, hard-to-track Blob URIs.
Suggested Corrections:
Enhance Email Filtering Systems:
- Update email filters to detect text-based QR codes and Blob URIs. This ensures malicious content is caught before it reaches end-users.
Educate Employees on Phishing Risks:
- Train employees to recognize suspicious emails, especially those containing QR codes. Awareness is crucial in preventing successful phishing attempts.
Utilize Multi-Layered Security:
- Implement behavior-based detection systems to monitor unusual activity, adding an extra layer of defense when traditional methods fail.
Block Unknown Blob URIs:
- Apply policies to restrict access to Blob URIs from unknown or untrusted sources to prevent users from unknowingly accessing malicious content.
Link(s):
https://www.infosecurity-magazine.com/news/new-gen-malicious-qr-codes/
https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri