QR codes are being exploited in phishing to hide malicious URLs and bypass filters, with threat actors using QR codes in emails and PDFs to lure victims into credential harvest pages. The campaigns increasingly impersonate MFA/SSO flows and rely on chained redirects, URL obfuscation, and targeted branding to trick users.
Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/think-before-you-scan-the-rise-of-qr-codes-in-phishing/
Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/think-before-you-scan-the-rise-of-qr-codes-in-phishing/
Keypoints
- QR codes (aka Qishing) are used to conceal malicious URLs and evade anti-spam/filters.
- Threat actors embed QR codes in phishing emails as images and inside PDFs, sometimes with legitimate branding (logos) to look authentic.
- The QR code directs users to a phishing page after a chain of redirects, often starting from Bing search results and using typosquatted domains.
- The campaign harvests victims’ credentials by impersonating MFA/SSO login flows and capturing data through a fake login page.
- Obfuscated JavaScript and base64 encoding are used to conceal redirections and extract victim data from URLs.
- Defenses include user awareness, staff training, and security tools (e.g., Trustwave MailMarshal) that analyze multiple phishing traits.
MITRE Techniques
- [T1566.002] Spearphishing Link – The QR code leads victims to a phishing page via a linked URL, hiding malicious intent behind an image. Quote: “Threat actors are taking image phishing to the next level by leveraging QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs.”
- [T1566.001] Spearphishing Attachment – PDF attachments carry malicious QR codes to bypass filters and deliver the malicious link. Quote: “Placing Malicious QR Codes in PDFs”
- [T1027] Obfuscated/Compressed Files and Information – The redirection chain uses obfuscated content and base64-encoded data retrieved from URLs. Quote: “This URL contains the following obfuscated JavaScript code … and tries to capture the last part of the URL [Fig. 6] after the number (#) sign, then passes it to an atob() function converting the base64 string…”
- [T1059.007] JavaScript – JavaScript is used to perform redirection and extract data from the URL. Quote: “obfuscated JavaScript code designed to handle bing.com redirections.”
- [T1204] User Execution – Victims are lured into scanning QR codes with their mobile phones to gain access. Quote: “lure their victims into scanning the QR code with their mobile phones to gain access.”
- [T1583] Acquire Infrastructure – Domains and infrastructure (including typosquatting and newly registered domains) are used to host phishing assets. Quote: “one-year registration [Fig. 9], a common characteristic of domains used by threat actors”
Indicators of Compromise
- [URL] context – hxxps://www[.]bing[.]com/ck/a?!&&p=e9085e096df3a5beJmltdHM9MTY4MzMzMTIwMCZpZ3VpZD0yNTFiM2IyMy1lZTc3LTY0ZmYtMzNkZS0yODJiZWY3NzY1YTEmaW5zaWQ9NTE1Mw&ptn=3… (victim email address encoded in base64)
- [URL] context – hxxps://isirumah[.]info/about-us/
- [URL] context – hxxps://login-rnicrosotfonline-nserviceportal-servercommon-oauth2-v23[.]powerappsportals[.]com/…/?cfg=[victim email address]
- [URL] context – hxxps://bc1qx0anrq4v2aftl3eg22rfnyump7wxln2e7ld60a[.]com/api/v3/login
- [URL] context – hxxps://qr[.]codes/hlrYHI
- [URL] context – hxxps://lockvvoodgroup[.]com/6913b3d2305481eab1949b82cc67055a64c08901925f1LOG6913b3d2305481eab1949b82cc67055a64c08901925f2
- [URL] context – hxxps://kamsaridevelopment[.]com#[victim email address]
- [URL] context – hxxps://bafybeiatig7bsbj3awxopocfjayzyv5jxhrhgyjqkxrdz5sxikrpftt4am[.]ipfs[.]dweb[.]link/eddom-home.html#[victim email address]
- [URL] context – hxxps://viajalejos[.]net/zon.php