What you should know to avoid QRLJacking

Share Google Docs with a QR code

QR codes—short for quick response—are highly appreciated digital buttons due to their impressive multifunctionality. For this reason, more and more businesses want to know how to create a QR code in order to integrate them into their promotional campaigns. After all, they are very effective ideograms when attracting customers, generating lasting interactions, receiving feedback and building user loyalty.

But the omnipresence of QR codes—both on physical objects and on digital platforms—is also used by cybercriminals to commit their misdeeds. One of the most used and, unfortunately, most effective scams is called QRLJacking or Quick Response Code Login Jacking. In layman’s terms, this is a simple social engineering vector attack that affects QR code login.

However, QRLJacking is much more than that, we go into more detail below.

Modus operandi of QRLJacking

Attack flow

1. The cybercriminal logs into the application or web portal chosen to commit his crime like any other user, that is, as his probable victim would do;

2. The hacker replicates the appearance of the login QR code on the legitimate website or App and places it on a phishing web page. The latter consists of a portal identical to the real one that is even constantly updated with the intention of deceiving an unsuspecting victim;

3. The scammer sends the phishing website to multiple users through different channels: social networks, emails, forums and chats with topics of general interest;

4. The person scans the “infected” QR code using a specific application on their smartphone. From this point, the hacker takes control of the victim’s account;

5. The programming of the ideogram used for QRLJacking exchanges all the data of the affected users with the cybercriminal’s session.

Deception Methods to Induce Scanning of Malicious QR Codes

Social engineering techniques

Typically, hackers implement several attack modalities simultaneously in order to increase their chances of success. The goal is always to gain the user’s trust, therefore, the sites chosen to carry out the fraud are usually from well-known firms (Whatsapp or Amazon, for example). Likewise, cybercriminals usually clearly define which target audience is most prone to QRLJacking.

SSL protocol teardown

The security socket layer protocol (SSL) is one of the most effective procedures for preventing hacks. Given this, cyberspace scammers allude that the website (used for phishing, but apparently truthful) operates without an HSTS (strict transport security) policy. Then they invite the user to temporarily work on an unsecured or, in other words, unprotected version.

Disruption of content delivery networks (CDNs)

The image generated for the QR code login feature within a secure page is of type Base64. The latter is an encryption method in which the text of the symbol always appears encrypted and invulnerable when the HTTPS – HSTS browsing protocols are active. To get around this issue, hackers downgrade CDNs so that the fraudulent QR code is not identified as problematic.

Traffic manipulation on local area networks (LAN)

It consists of violating users’ local area networks by exploiting unprotected web portals. To do this, the hacker poisons traffic in real time by introducing a JS file into each vulnerable web page recorded in the LAN history. For this reason, it is also called MITM (man-in-the-middle attack).

How to prevent QRLJacking

The main recommendation for users is not to log into their accounts by scanning QR codes unless it is absolutely essential. Next, people can avoid becoming victims of QRLJacking through limitations applied in order to close the criminals’ window of action. Between them:

-Implement a login confirmation protocol: it works with a notification that shows the characteristics of the login made by the client and/or server;

-Implement IP restrictions for login (prohibit logins from unknown IPs);

-Delimit access to certain geographic locations and issue an alert when the login location is unknown;

-Reinforce login security through authentication based on the user’s voice.

Consequences of QRLJacking

1. Hijacking of accounts and damage to reputation due to actions carried out by the cybercriminal (posing as the scammed user);

2. Disclosure of a broad spectrum of private data linked to account login, including:
-Geographic location by GPS;
-SIM card information;
-Type of device;
-IMEI of the device.

3. Data manipulation:
-Once the ideogram used for QLRJacking has been scanned—the “information disclosure” point—the victim’s data is made available to the attacker on an insecure network connection;
-The extracted information (especially passwords) can serve to extend the damage to other user profiles, since at least 60% of users usually use the same passwords in different accounts.

4. The hacker can modify or even delete the data at will.

Key aspects of QRLJacking

One of the advantages for hackers of QRLJacking attacks lies in their simplicity. Consequently, the criminal only has to follow and replicate the page from which he obtains the cloned QR code, since he knows that the symbols usually have an expiration date. That is, the appearance of the ideogram changes with each page update.

To make matters worse, some websites don’t even refresh the login QR regularly. For this reason, cybercriminals do not even need to have very in-depth knowledge of programming and web design. Certainly, basic skills are enough to slightly modify the portal used for phishing plus a naive victim incapable of taking minimal containment measures.

Click to rate this entry!
(Votes: 0 Average: 0)

Leave a Comment