How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography
Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.
Quishing#
Quishing, a phishing technique resulting from the combination of “QR” and “phishing,” has become a popular weapon for cybercriminals in 2023.
By concealing malicious links within QR codes, attackers can evade traditional spam filters, which are primarily geared towards identifying text-based phishing attempts. The inability of many security tools to decipher the content of QR codes further makes this method a go-to choice for cybercriminals.
An email containing a QR code with a malicious link |
Analyzing a QR code with an embedded malicious link in a safe environment is easy with ANY.RUN:
- Simply open this task in the sandbox (or upload your file with a QR code).
- Navigate to the Static Discovering section (By clicking on the name of the file in the top right corner).
- Select the object containing the QR code.
- Click “Submit to Analyze.”
The sandbox will then automatically launch a new task window, allowing you to analyze the URL identified within the QR code.
CAPTCHA-based attacks#
CAPTCHA is a security solution used on websites to prevent automated bots from creating fake accounts or submitting spam. Attackers have managed to exploit this tool to their advantage.
A phishing attack CAPTCHA page shown in the ANY.RUN sandbox |
Attackers are increasingly using CAPTCHAs to mask credential-harvesting forms on fake websites. By generating hundreds of domain names using a Randomized Domain Generated Algorithm (RDGA) and implementing CloudFlare’s CAPTCHAs, they can effectively hide these forms from automated security systems, such as web crawlers, which are unable to bypass the CAPTCHAs.
A fake Halliburton login page |
The example above shows an attack targeting Halliburton Corporation employees. It first requires the user to pass a CAPTCHA check and then uses a realistic Office 365 private login page that is difficult to distinguish from the real page.
Once the victim enters their login credentials, they are redirected to a legitimate website, while the attackers exfiltrate the credentials to their Command-and-Control server.
Learn more about CAPTCHA attacks in this article.
Steganography malware campaigns#
Steganography is the practice of hiding data inside different media, such as images, videos, or other files.
A typical phishing attack that employs steganography begins with a carefully crafted email designed to appear legitimate. Embedded within the email is an attachment, often a Word document, accompanied by a link to a file-sharing platform like Dropbox. In the example below, you can see a fake email from a Colombian government organization.
A phishing email is typically the first stage of an attack |
The unsuspecting user that clicks the link inside the document downloads an archive, which contains a VBS script file. Upon execution, the script retrieves an image file, seemingly harmless but containing hidden malicious code. Once executed, the malware infects the victim’s system.
To understand how steganography attacks are carried out and detected, check out this article.
Expose phishing attacks with ANY.RUN#
ANY.RUN is a malware analysis sandbox that is capable of detecting a wide range of phishing tactics and letting users examine them in detail.
Check out ANY.RUN’s Black Friday Offer, available November 20-26.
The sandbox offers:
- Fully interactive Windows 7,9,10,11 virtual machines
- Comprehensive reports with IOCs and malware configs
- Private analysis of an unlimited number of files and links
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.