Evil QR is a spin-off of a QR Jacking attack, the latest phishing attempt by threat actors to gain access to the victim’s machine.
QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts.
The latest article on breakdev demonstrates how attackers could take over accounts by convincing users to scan supplied QR codes, through phishing.
How the Attack Works:
In recent years, most websites have allowed users to log in by scanning QR codes using mobile phones.
Attackers took advantage of this process and sent spam emails containing Spoofed QR codes from the original website to compromise the victims.
In this article, the author explained how phishing is sent through the Evil QR toolkit utilizing the Discord page.
The attacker opens the official Discord login page within their web browser to generate the sign-in QR code.
Using the Evil QR browser extension, the attacker is able to extract the sign-in QR code from the login page and upload it to the Evil QR server, where the phishing page is hosted.
The phishing page, hosted by the attacker, dynamically displays the most recent sign-in QR code controlled by the attacker.
Once the victim successfully scans the QR code, the attacker takes control of the compromised account
The Evil QR attack can be customized using personalized phishing pre-text, with dynamic updates, for every website separately.
Evil QR browser extensions can detect and extract QR codes, within websites, no matter how they are rendered.
The extension supports extracting QR codes rendered as CANVAS, IMG, SVG, or even DIV (by taking a screenshot with the html2canvas library).
The server is developed in GO and its main purpose is to expose REST API for the browser extension and run an HTTP server to host the phishing page.
It waits for authenticated communication from the browser extension, including a QR code image with metadata in JSON format on /qrcode/[qr_uuid] endpoint:
The retrieved QR code is then stored and is available for retrieval by the JavaScript running on the phishing page.
The phishing page uses HTTP Long Polling to be able to retrieve QR code updates with minimal delays without having to use WebSockets.
The phishing page automatically detects which hostname the QR code was retrieved from and can dynamically adjust its CSS and text content to change the phishing pre-text for social engineering purposes.
To phish the target, the attacker uses the Evil QR Browser extension on the web application sign-in page.
It will automatically find the QR code image and detect if it changes. Once it changes, it will upload the updated image to the Evil QR server.
One of the most important characteristics of session tokens, represented by sign-in QR codes, is that the tokens are short-lived by design.
Every token is made to expire approximately after 30 seconds, which drastically shortens the time frame of the token’s validity.
Once the token expires, the website regenerates it and updates the displayed QR code on the sign-in page.
If sign-in session tokens did not expire, attackers might print QR codes on paper and mail them to potential victims.
After a period of inactivity, some websites cease updating QR codes to save bandwidth. They normally offer a “Retry” option, which the extension can automatically click on to continue updating QR codes.
The extension can also detect the presence of a specific DOM object, which will show up only when the attacker is signed in after the phishing attempt is successful.
It will then send an update to the Evil QR server with the authorized: “true” parameter, allowing the phishing page to decide on how to proceed.