What is Image Phishing? How Do QR-Codes Take Image Phishing (Qishing) to the Next Level?

Cybercriminals are constantly evolving their tactics to bypass modern security defenses and carry out successful attacks. Social engineering techniques like phishing have become one of the most common attack vectors from common men to organizations today. Attackers have started targeting images in their phishing campaign to operate covertly under the radar. This led to the birth of a new term, “Image Phishing”, which is nothing more than hiding malicious content inside of an image to trick traditional security systems.

We created this post to let you all know more about the new angle of Phishing, the role of images in Phishing, and especially, the role of QR-Codes in today’s Phishing campaigns. We will also cover how attackers are leveraging QR codes to further disguise phishing attempts and real examples of QR code phishing campaigns uncovered recently. By understanding these emerging threats, you’ll be better prepared to identify and stop sophisticated phishing efforts aimed at stealing sensitive data.

What is Image Phishing?

Phishing refers to fraudulent messages that impersonate a trusted source, like a bank, website, or organization. The goal is to trick users into revealing login credentials, financial information, or sensitive data that can be used for identity theft or cybercrime.

A classic phishing technique is to send an email containing a fake login page that imitates the look and feel of a legitimate website. The page prompts the user to enter their username and password, which goes directly to the scammer. Phishing links may also appear to be password reset requests or account verification notices from known companies.

Image phishing builds on traditional phishing by hiding the malicious content inside of an image rather than text. At first glance, the email looks harmless, displaying just a static image without any text body. However, embedded within the image is a phishing website or login form crafted to evade security filters.

Examples of Phishing emails with Images (Source: Trustwave)

Image of code inside an image (Source: Trustwave)

For example, an attack might send an image that appears to be an invoice or notification from a credible source. When opened, the image displays a fake login prompt inside. Another approach is using an image with minimal text to lower suspicions, making the phishing attempt appear more legitimate. This technique allows phishers to disguise the malicious parts of the message as the entire email resembles an image.

Rise of QR-Code Popularity with the Rise of Smart Phone Users

QR codes have become ubiquitous after an explosion in smartphone adoption. But what exactly are they, and how did they get to be so popular? Let’s quickly roll over these things.

QR codes, short for “quick response” codes, are scannable barcodes that can store various types of data. The squares and dots represent information that gets translated when scanned by a QR reader. In the early days, these QR codes were being scanned by scanner machines. But now, most smartphones are capable of scanning QR codes. Today, QR codes are more likely to be scanned by smartphones than by any device.

This history of QR codes says it was invented back in 1994 by an engineer at Denso Wave to track vehicles in production. The technology wasn’t widely adopted until the era of smartphones. When Apple integrated a native QR scanner into its iPhones in 2017, other smartphone makers quickly followed it and started providing scanners on their smartphones. According to BankMyCell, there are now over 6.9 billion smartphone users worldwide, representing 86% of the population. This surge of smartphones in the globe, especially in developing nations, has led to the surge of adopting QR codes.

During the pandemic in 2020, QR codes saw renewed popularity as businesses sought touchless ways to share menus, coupons, and other info. Now, retail, healthcare, hotels, and small shops have adopted QR codes more than any time before. But as we’ll explore next, their broad use also makes them a target for phishing attacks.

How Do QR-Codes Work?

QR codes may look like abstract boxes, but they actually function similarly to the standard barcodes you see on grocery items. The black and white squares represent different encoded data that gets translated when scanned.

Specifically, a QR code consists of three square finder patterns at the corners, with smaller alignment patterns scattered across the code. The black and white squares in between comprise the actual payload – numbers, characters, binary bits, or Kanji symbols.

A QR scanner, whether a standalone device or a smartphone camera, uses an optical sensor to capture the code’s unique pattern. Software on the device then analyzes and decodes the pattern using a Reed-Solomon error correction algorithm. This allows data to be extracted even if the code is partially damaged. The decoded data might be a URL, text, SMS, contact info, calendar event, or app command. For example, a concert poster may have a QR code that opens a ticket-purchasing website when scanned. Or a restaurant’s menu might have a code to view menu items on your phone.

FYI, QR codes can be classified into static or dynamic types. Static codes cannot be changed once created. Dynamic codes point to URLs that can be updated, allowing for better analytics on scanning activity. Overall, QR codes provide a quick and seamless way to bridge the gap between the physical and digital worlds. Their rise owes much to the convenience of scanning from a smartphone camera in just seconds.

A Real Recently Disclosed Qishing Campaign

Security researchers from Trustwave have uncovered phishing campaigns abusing QR codes to distribute malicious links and stage convincing scams. Let’s walk you through this recently analyzed campaign by Trustwave to understand how QR code phishing works.

Common Tactics Attackers Use in the Successful Qishing Campaign

Let’s us list the common techniques and tactics attackers use QR-Codes to take Image Phishing (Qishing) to the next level. Please carefully read each one of them to understand. 

1. A short malicious code: The core phishing tactic lies in the QR code itself. Attackers don’t make the code malicious. Instead, they just place a Phishing URL in the code. When security systems scan the code, they don’t even get a clue that the code is potentially malicious. This creates a golden opportunity for attackers to bypass the security systems.

2. URL redirection: Most of the security solutions are in search of malicious, newly created, random-looking, blacklisted, abnormal URLs. However, attackers craft the Phishing URLs inside a legitimate popular URL. For example, the URL below pretends to be a Bing search link, but it redirects victims to the real phishing site.

https://www[.]bing[.]com/ck/a?!&&p=e9085e096df3a5beJmltdHM9MTY4MzMzMTIwMCZpZ3VpZD0yNzM3NzgtNjRmZi0zM2RlLTI4MmJlZjc3NjVhMSZ1PWExYUhSMG9HUnBZMnRPWlhKcEoyOXdZWEp6ZVhOMExXeGxZMjV6WlhJOU1USXdNVEl5TGpFek5qQTNNUT09JnQ9

3. Shortened URL services: There are several examples of attackers abusing URL shorten services to disguise the underlying phishing link and to be detection proof.

4. Dynamic QR codes: Dynamic Attackers often abuse dynamic QR code services that allow to update the destination while reusing the same code image.

5. Target brand impersonation: Some QR phishing emails are highly targeted, customizing the message templates with the victim company’s real logo and branding. This increases the familiarity and likelihood that victims believe the notification is legitimate. Along with mimicking branding, attackers make phish sites reflect the target’s login portal with familiar imagery. This multi-layer impersonation makes the attack more convincing for victims.

6. Multistage Redirects: The QR code links often pass through multiple hops and redirects to further disguise the attack. This helps evade detection by redirecting through clean sites first before reaching the malicious endpoint.

7. PDF Attachments: It is a natural tendency to assume the QR code inside a pretending PDF must be valid if sent as an attachment. Attackers utilize this tendency to tram the user. In other examples, the phishing emails contain no text – just a PDF attachment. Opening the attachment displays a QR code and instructions to scan it for “account verification” or other pretexts. If the user scans the QR code, he is in the trap.

8. Automated QR Code Generation: Some phishing kits automatically generate QR codes on the fly using public APIs rather than static images. For example, the HTML attachment embeds an API call to generate the QR code targeting the victim. This technique adds dynamism to customize the attack for each target on demand. It also allows changing the QR code as needed without resending emails.

All these techniques allow the attackers to abuse the QR code to carry out a successful Qishing campaign and hide under the radar.

Bottom Line

By looking at the pace of smartphone market capture, Qishing (IQR code phishing) is definitely going to be one of the popular attack vectors. Organizations should train employees to identify telltale signs of phishing attempts and confirm the source of any unusual login requests. Using a robust email security solution can also help block these emerging image phishing threats. On the other hand, the common public should be aware of such new attack trends. It is expected that attackers find innovative ways to trick the victim, and they keep doing this for an infinite time. It is the responsibility of every individual to be educated and aware of such attacks.

We hope this post serves the purpose and becomes a good source of information to know more about the new angle of Phishing, the role of images in Phishing, and especially, the role of QR-Codes in today’s Phishing campaigns.

Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.