QR code phishing with ASCII characters

July 20, 2024
| No comments
QR code phishing with ASCII characters
Advertising

Share post

Security researchers at Check Point have discovered a new type of QR code phishing (called “quishing”) that attackers use to cleverly bypass OCR systems.

By sending the infected QR codes in their phishing emails as image files instead of the usual ones, the masterminds use ASCII characters to recreate the characteristic black tiles of standard QR codes. These are difficult to distinguish from legitimate QR codes at first glance, but can be scanned like regular codes and converted into accessible - and in this case infected - URLs.

Advertising

The aim is OCR security analyses

Optical character recognition (OCR) is not only used for digitizing text and writing, but is also used in IT security. The technology helps monitor documents and communication channels and can support the early detection of malicious activities and compliance with data protection regulations. Machine learning is often used for this. Check Point has now uncovered a new campaign in which a QR code is not displayed as an image, but using ASCII characters and HTML in order to bypass the OCR scanning and filtering systems mentioned. The researchers intercepted over 600 such emails at the end of May alone.

Essentially, threat actors insert small blocks into the HTML code. In the email, this looks like a normal QR code to the recipient, but it contains a phishing link. However, an OCR system sees this as a normal string of characters, allowing the email to pass through the filter and reach its victim unhindered. There are websites that help threat actors generate these codes automatically, and they can be configured to contain malicious links.

Advertising

Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month



By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy Policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.

CleverReach

This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

The researchers have discovered another example of a fake QR code that was created to bypass multi-factor authentication (MFA) and was also embedded in a phishing email that came from a supposed administrator. Since July 2023, the security researchers have been observing the new phishing methods using QR codes, which have recently increased dramatically. In February of this year, they registered over 10.000 attacks using QR codes - an increase of 1.688 percent compared to January. In March, there were already over 30.000 attacks, in April the number briefly fell again to around 10.000 and in May rose again dramatically to over 35.000 attacks. This is probably also attributable to the new methods.

QR Code Phishing 3.0 and OCR

Cybercriminals' attack methods are constantly evolving and QR code phishing is no exception. What is remarkable, however, is how quickly these developments are currently happening. It started with standard MFA verification codes. These were quite simple and asked users to scan a code to either reset MFA or even view financial data.

The second variant, QR code phishing 2.0, was a conditional routing attack. The link detects where the user interacts with it and adapts accordingly to appear more authentic. If the user is on a Mac, a different link is displayed than if the user is using an Android phone. Check Point has also seen custom QR code campaigns where the hackers dynamically insert the company's logo and even the correct username as the addressee.

QR code phishing 3.0 is now turning out to be a manipulation campaign. It is not a traditional QR code, but a text-based representation of one. This makes it much more difficult for OCR systems to see and recognize it. It also shows how the threat actors are adapting. Many email security solution providers have recently introduced new QR code protection using a form of OCR. Hackers know this and have tailored their campaigns accordingly. This may just be the next evolutionary phase in the eternal cat-and-mouse game of cybersecurity: hackers find gaps, defenders close them - then the cycle starts again. But you are not defenseless against these new scams. IT managers should implement security measures that

  • QR codes embedded in emails automatically decrypt and analyze the URLs for malicious content.
  • embedded QR codeRewrite s in the email text and replace them with a secure, rewritten link.
  • advanced artificial intelligence to detect several indicators of phishing.
More at Checkpoint.com

 

About check point

Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.

 

Matching articles on the topic

OpenCloud: Alternative file management solution

File management, file sharing and content collaboration - but in new ways and away from solutions of the large digital corporations Microsoft SharePoint ➡ Read more

Protect IoT and OT environments with MXDR

With the increasing number of IoT and OT devices, companies are increasing their attack surfaces for cybercriminals. Last year, almost every ➡ Read more

Hybrid SASE solution FireCloud Internet Access

With FireCloud Internet Access, WatchGuard Technologies presents the first product in a new family of hybrid Secure Access Service Edge (SASE) solutions. ➡ Read more

Proactive cybersecurity AI fends off attacks

Trend Micro's first proactive cybersecurity AI sets new standards with new capabilities for proactive risk management, threat modeling, attack path ➡ Read more

Chinese cyber espionage is increasing dramatically

The Global Threat Report 2025 published shows an increasing aggressiveness of Chinese cyber espionage, a rise in GenAI-based social engineering and vulnerability research ➡ Read more

Cybersecurity: Improved Enterprise Browser 

With the Enterprise Browser as part of the fully integrated SSE, companies can enable access from unmanaged devices, BYOD and ➡ Read more

Against cyber risks: Platform for risk management

Quickly identify security gaps and thus mitigate cyber risks: The new application extends Zscaler’s Exposure Management solution and offers a single ➡ Read more

Integrated Cloud Email Security for Microsoft 365

The Secure Email Gateway (SEG) is enhanced with seamless integration into cloud platforms such as Microsoft 365. The API deployment option offers ➡ Read more

 

PR News
, , , ,