Cybercrooks find a simple trick to bypass malicious QR code detection – HTML tables
Cybercriminals have discovered a way to bypass detection engines for malicious QR codes, which are designed to protect email users. Now, they’re spamming inboxes with fraudulent QR codes generated with HTML code, instead of attached images.
Security researchers at the Internet Storm Center of the SANS Technology Institute discovered a QR phishing campaign that bypasses many current security controls.
Between December 22nd and December 26th, a “recent string of phishing messages” hit their inboxes containing HTML tables to render the QR codes, instead of the ordinary attached images.
This simple technique is effective in “bypassing QR code detection and analysis in e-mail messages.”
“Due to the 'cat and mouse' nature of cybersecurity, threat actors continually search for ways of bypassing various security controls,” the researchers write in a report.
All of the malicious messages used a basic layout and only contained a few text lines along with the QR code. The lures encouraged users to scan the QR document to review and sign a document.
Each QR code pixel was a cell in the 35x35 HTML table, with a background color set to either white or black. The researchers noted that for the users, QR codes look quite normal. However, in their case, the QR code was “a little squished.”
If a user scanned such a QR code, they would end up on malicious phishing sites that harvest credentials.
While the technique is not new, its novel adaptation in real-world phishing campaigns highlights that assumptions about malicious content delivery might not always be correct. Current systems rely on scanning images to detect QR codes.
“Purely technical security controls can never stop all potentially malicious content – especially content that has a socio-technical dimension,” the post concludes.
Unlock more exclusive Cybernews content on YouTube.
