Thursday, September 28, 2023

Emerging Threat - The Rise of Quishing: Malicious QR Codes

 
 

A QR code (short for Quick Response code) is a type of barcode that can be scanned by one’s smartphone camera. It stores data like text, URLs, or contact information in a machine-readable format.

When you point your smartphone camera at a QR code, the phone's software recognizes the pattern of black and white squares. It then converts the code into whatever data is encoded - usually a link, app download, contact, etc.

QR codes provide us with a quick and convenient way to pull up information on our mobile devices and we often scan QR codes without giving it a second thought. How often have you scanned a QR code at a restaurant so as to instantly view the menu?

QR codes are a great convenience but often, what we fail to realize is that convenience can often come with risk. QR codes are no different and now present a growing phishing risk known as “quishing”. Bad actors are now using fake QR codes as a weapon to steal data or distribute malware. In this post I will break down how quishing works and provide tips on how one can protect themselves from falling victim to this type of cyber-attack.

Weaponizing QR Codes

As previously stated, QR codes encode data as a scannable barcode and are a great convenience but this convenience makes it easy for attackers to create malicious QR codes that can redirect unsuspecting users to phishing sites.

Malicious actors print fake codes on flyers, advertisements, or stickers and post them in public areas. When an unsuspecting user scans the code, instead of the expected destination they are sent to a malicious phishing site, controlled by the attacker, and the victim gets tricked into entering credentials, downloading malware, or possibly opening a backdoor for their device to be taken over.

Here is a simple example of how a malicious QR code may be weaponized:

1.      The attacker registers a domain name that looks similar to a legitimate site, like "amaz0n.com" instead of "amazon.com".

2.      The attacker creates a phishing site at that domain impersonating the target brand (Amazon in this case).

3.      The attacker generates a QR code that encodes a URL link to their fake domain. For example:

QR code ---> http://amaz0n.com

4.      The attacker then prints this malicious QR code on a flyer or sticker and posts it in a public place. They may pretend to offer a discount or special offer to entice victims to scan it.

5.      A user scans the code with their smartphone camera, expecting to visit the real Amazon site. But the QR code directs their browser to the fake site instead.

6.      At the fake site, the user gets phished for login credentials or prompted to download malware disguised as a legitimate app.

 Recent Real-World Examples

While QR code technology itself is decades old, weaponizing it for phishing appears to be a more modern attack method. One of the earliest documented quishing campaigns was observed in China in 2017 where malicious actors posted fake QR codes to steal login credentials from users of a digital payment platform Alipay. In 2018, security researchers identified malicious QR codes targeting cryptocurrency owners. The QR codes were weaponized to steal digital wallet private keys allowing attackers to steal the funds of the victim. And most recently, in September of 2023, The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warned of two recent phishing campaigns involving QR codes. the campaigns involved phishing emails impersonating IT departments indicating that the user could scan the QR code to initiate updates or maintenance of 2FA (two-factor authentication) allowing attackers to bypass a victim’s 2FA protection they had in place.

 Staying Safe from Quishing

As in phishing attacks, the key defense when it comes to quishing is user awareness. Users need to use caution before scanning any QR code. Things once can do to protect themselves are:

·        Examine the QR code and verify the source. Does the URL domain or app name seem legitimate?

·        Search online for recent alerts about scams for that brand.

·        Only scan codes directly from trusted sources like official brand ads or known establishments.

·        Look out for typosquatting sites like amaz0n instead of amazon.

·       Consider disabling automatic QR code scanning in your camera app settings or use a use a QR Code Scanner with Security Features. Some QR code scanner apps have built-in security features that can check URLs for authenticity and flag potential threats.

·        Keep device software up-to-date and use a security app to block known malicious sites.

·       Report Suspected Phishing. If you encounter a suspicious QR code or website, report it to relevant authorities or the organization being impersonated.

Conclusion

While QR codes offer speed and utility when used properly the convenience has unfortunately made them and ideal attack vector to take advantage of unsuspecting users. Being aware, vigilant, and utilizing common sense is key to avoid falling victim to this new type of attack and as quishing threats continue to rise “QR hygiene”  will be crucial to avoid becoming a victim.

 

Friday, June 16, 2023

How to Update Burp Suite in Kali Linux


Even after using apt commands to update Kali and it's packages it will still be necessary  update Burp Suite Community Edition manually. Burp Suite can be quickly launched via Applications drop down > Web Applications Analysis > burpsuite.
 

 

 If you are running an older version of Burp Suite you may get the notification that an update is available.

 

If so then you can click the "Update now" button, but if not then you can start Burp Suite and click Help > Check for Updates.

Both ways will bring you to the same update window. Click on "Update Now".

 

This will bring you to the PortSwigger Burp Suite download page. Select "Go Straight to downloads".

 This will bring you to a page where you can download the current version of Burp Suite Professional or Community. We will be downloading the current Community version and we want to select the JAR (Java Archive) file type and select Download.

 

Once you have the JAR file downloaded into the ~/Downloads folder there are a few things that you will need to do.

First, you will need to rename the JAR file that you just downloaded from burpsuite_community_vxxxx.x.x.jar to burpsuite.jar.

Next, you will need cd into /usr/share/burpsuite and rename burpsuite.jar to burpsuite.jar_old

 

Finally you will need to move burpsuite.jar from ~/Downloads to /usr/share/burpsuite directory. 

 

Your update is now complete and you are ready to launch Burp Suite. Once you launch Burp Suite it will launch without any notification of an available update and the version will be the current version you just downloaded and installed!



 

Emerging Threat - The Rise of Quishing: Malicious QR Codes

    A QR code (short for Quick Response code) is a type of barcode that can be scanned by one’s smartphone camera. It stores data like tex...