The Scanception campaign is an ongoing, sophisticated quishing attack using QR codes embedded in PDFs to bypass traditional security measures and harvest credentials through adversary-in-the-middle phishing pages. The campaign abuses trusted platforms for redirection and targets multiple global sectors, evading detection with advanced techniques. #Scanception #AdversaryInTheMiddle #QRPhishing
Keypoints
- Scanception uses QR codes in PDF attachments to deliver credential-harvesting URLs, effectively bypassing email security and endpoint protections by targeting unmanaged mobile devices.
- The campaign has generated over 600 unique phishing PDFs in three months, many mimicking legitimate enterprise workflows with high precision targeting across Technology, Healthcare, Manufacturing, and BFSI sectors.
- It abuses trusted cloud platforms (YouTube, Google, Bing, Cisco, Medium) and open redirectors to relay victims to phishing sites, evading reputation-based detection and email filters.
- The phishing infrastructure uses multi-stage credential harvesting, browser fingerprinting, and adversary-in-the-middle (AITM) tactics to bypass MFA and enable account takeover.
- Advanced evasion techniques include detecting automation tools, disabling right-click, monitoring debugger activity, and generating randomized URLs for credential exfiltration.
- The campaign operates globally with concentrated activity in North America, EMEA, and APAC, employing region-specific lure customization and sector-focused targeting.
- Security recommendations include deploying advanced email inspection, monitoring AITM phishing infrastructure, integrating threat intelligence, and updating user awareness on QR-based social engineering attacks.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – PDF attachments mimic legitimate business documents to deliver the attack (“PDF attachments mimicking legitimate business documents”).
- [T1566.002] Spearphishing Link – QR codes in PDFs redirect victims to fake Office 365 login pages (“QR codes in PDFs redirect to fake Office 365 login pages”).
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – The phishing site detects automation tools like Selenium and redirects to “about:blank” to evade detection (“Detects automation tools and redirects to ‘about:blank’”).
- [T1562.002] Disable or Modify Tools – Right-click is disabled and debugging activity is monitored; if detected, redirection to legitimate URLs occurs (“Disables right-click and monitors debugging activity”).
- [T1036.001] Masquerading – Multi-page PDFs are used to evade detection engines that typically scan only initial pages (“Multi-page PDFs to evade detection engines”).
- [T1090.002] External Proxy – Trusted redirect services such as YouTube, Google, and Bing are abused to relay victims to phishing infrastructure (“Abuses trusted redirect services (YouTube, Google, Bing)”).
- [T1557] Adversary-in-the-Middle – Real-time credential harvesting relays credentials to Microsoft login portal to bypass MFA (“Real-time credential harvesting via POST requests”).
- [T1217] Browser Information Discovery – Browser fingerprinting information is collected and sent to attackers (“Collects browser fingerprinting data”).
- [T1111] Multi-Factor Authentication Interception – AITM technique used to intercept MFA tokens and codes for account takeover (“AITM technique to bypass MFA in real-time”).
- [T1102.002] Web Service: Bidirectional Communication – Maintains an open channel for real-time instructions with attacker backend (“Maintains an open channel for real-time instructions”).
- [T1568.002] Domain Generation Algorithms – Randomized URL paths generated using the randroute function to reduce detection (“Generates randomized URL paths using the randroute function”).
- [T1132.002] Data Encoding: Non-Standard Encoding – Credentials and browser data encrypted during transmission (“AES encryption of credentials and browser data during C2 transmission”).
Indicators of Compromise
- [PDF files] Credential harvesting lures – Over 600 unique phishing PDFs mimicking enterprise documents, many undetected on VirusTotal.
- [URLs] Phishing domains and redirect links – Examples include ilbls-contempobuilder.qkipikpp[.]es and abusive redirect URLs from youtube[.]com, google[.]com, bing[.]com, cisco[.]com, and medium[.]com.
- [Email addresses] Encoded in base64 within the email_base64 field to conceal user identifiers used in campaigns.
- [JavaScript Libraries] randexp.min.js – Used to generate randomized URL paths for exfiltration endpoints, aiding evasion.
Read more: https://cyble.com/blog/scanception-a-qriosity-driven-phishing-campaign/