In the evolving landscape of cybersecurity, adversaries are continually seeking innovative methods to bypass traditional security measures. One such method gaining traction is the use of QR codes. At first glance, QR codes appear as benign tools for quick access to websites or information. However, their inherent characteristics offer unique advantages for cyber threats, particularly in evading detection. Here’s why:
1. Concealed URLs: Unlike traditional links where the destination is visible and can be scrutinized for legitimacy, QR codes mask the underlying URL. This obscurity allows malicious links to bypass initial human scrutiny, making them perfect trojans for phishing attacks.
2. Evasion of Traditional Security Solutions: Many security systems are designed to scan and filter text-based content, such as emails and websites, for malicious links. QR codes, being graphical, do not fit into this text-based analysis, allowing them to slip through these defenses unnoticed.
3. Bypassing Awareness Training: With extensive awareness around clicking on suspicious links, users have become more cautious. QR codes, however, exploit a gap in this awareness. The novelty and technological engagement encourage users to scan them, often bypassing the caution exercised with clickable links.
4. Targeted Mobile Exploitation: QR codes are predominantly scanned by mobile devices, which might not always be equipped with the same level of security as desktop systems. This makes them a strategic choice for targeting the mobile ecosystem, from stealing personal data to injecting malware.
5. Leveraging Physical and Digital Realms: QR codes uniquely bridge the physical and digital worlds. They can be placed anywhere, from posters to digital screens, reaching audiences outside the scope of digital-only strategies and evading digital tracking or filtering systems.
EvilGophish Weaponization
Now that we have a solid understanding of why adversaries might want to use QR codes in a social engineering campaign, let’s talk about weaponizing it ourselves using EvilGophish. This is a new feature only available to sponsors. To become a sponsor, select the appropriate tier from my list of tiers that will grant you access to the private Sponsors repository on GitHub Sponsors here.
EvilGophish Implementation
I was thinking about how I could implement this feature so that it was as convenient as possible for an operator and I wanted to give operators full control over how QR codes would be inserted into emails. On top of this, I wanted the feature to be as potent and effective as possible. This meant putting in some thought as to how I was going to implement this. Instead of placing the images at the end of emails by default and removing a certain amount of control for operators or even including the images as attachments, I decided to create a new template variable for email templates {{.QR}}.
This will put the QR code as an inline image wherever you place the template variable, allowing full control for the operator as to where the image will be placed when the victim views the email. By placing the images inline, they are also more likely to be viewed or scanned rather than being included as a rogue attachment or a place in the email that doesn’t align with the pretext. The control over placement can also increase effectiveness. If there was not the ability to control the placement of the images, then the image may not fit certain pretexts or the amount of pretexts taking advantage of this feature would be more limited. Speaking of reducing limitations, operators also have full control over the height and width of included QR code images, allowing total customization when weaponizing this attack with EvilGophish. I figured this would be the easiest, most potent way for operators to use this new feature and would give operators the most amount of control.
The image below demonstrates including the new template variable inside of a HTML email template. This is the first step for using this new feature for an email campaign within EvilGophish.
The next step in the process would be to configure the size of the QR code images when starting a new campaign. Leave the QR Code Size option blank if you wish to run a standard campaign without QR code images.
At this point, every email recipient will receive an email containing a QR code image with their phish URL including their unique identifiers for campaign tracking statistics. When scanned, the device performing the scanning will open its browser application to the evilginx server URL for MFA bypass campaigns. This test was simply pointing to Google, which can be verified if you scan the QR code below. The screenshot below shows a sample of what victims will receive.
And that’s it for weaponization using EvilGophish! For those who are unfamiliar with Gophish or EvilGophish, the dashboard will display results for the campaign in a graphical view. We will get notified for all events regarding the campaign with corresponding date/time information including sent emails, clicked links, submitted credentials to the Evilginx server, captured sessions (cookies/auth tokens) from Evilginx, and the ability to correlate all of these statistics per victim. The free version of EvilGophish is available on GitHub here but it is kept intentionally less updated than the paid version available via GitHub Sponsors here.
Conclusion
Implications: The strategic use of QR codes by adversaries underscores a critical need for adaptive security strategies. It highlights the importance of extending cybersecurity awareness to include newer technologies and their potential misuse. As the digital landscape evolves, so too must our vigilance and defenses.
Takeaway: In the arms race of cybersecurity, awareness and adaptation are our best defenses. Understanding the why and how behind the use of technologies like QR codes for malicious purposes empowers us to better protect ourselves and our organizations.