Attackers are using QR codes sneakily crafted in ASCII and blob URLs in phishing emails

An example of a QR code built using ASCII

Barracuda Networks

Attackers are impersonating legitimate services

In one phishing example demonstrated by Barracuda, attackers impersonated a service that supposedly sent a payroll and benefits enrolment file that could be accessed by scanning the QR code. In another case, the attackers impersonated global shipping company DHL and asked recipients to fill out a form by scanning the QR code to complete an order because the shipping address was supposedly missing.

One might think it would be easy to build a detection rule for this by just looking for blocks and half-blocks, but it’s not that simple. According to the researchers, there are 32 distinct ‘block’ characters that include full blocks, partial blocks and quadrants and they can further be encoded inside emails using HTML Entity, UTF-8 Encoding, or UTF-16 Encoding, creating 96 possible combinations. And many of them have legitimate use cases, increasing the likelihood of false positive detection.

“​​Additionally, in the case of HTML Entities, each ‘block’ can have multiple representations, and attackers can use single blocks or block combinations to generate their ASCII/Unicode-based QR codes,” the researchers said. “This all increases the total number of possible combinations and makes ASCII-based QR codes challenging to detect.”