Think Before You Scan (Phishing QR Code)
QR code had been use used in payments mostly nowadays, but the problem is that every QR code looks the same.
If the malicious actor took over a website & updates their website’s QR code with a malicious QR code, the malicious actor would redirect the users that scan the QR code into their phishing webpage. From this part, there’s where the malicious actor would starts to harvest the user’s credential.
So in this case, we’ll be utilizing Social-Engineering Toolkit (SEToolkit) to show how this attack vector works.
Setting Up Fake PayPal Login Webpage
First, we need to clone the PayPal login webpage from the original site. This can be done by using the normal “Save as” option in the browser.
Now after we’ve cloned the login page, we need to edit the html file name into index.html.
Now let’s launch our SEToolkit to start hosting the phishing webpage. In this case we’ll be choosing the 1st option “Social-Engineering Attacks” as we want to perform a social engineering attack to harvest the user’s credential.
Then, here we need to select the 2nd option “Website Attack Vectors” to start hosting our phishing login webpage.
Select option 3 for credential harvesting attack vector. This we will be harvest the login & password from the submitted webform, when the victim entered into our phishing webpage.
In our case, we will go for “Custom Import” as we’ve just cloned the fake PayPal login page manually just now.
In this article, we will be testing in our local LAN only. So we will be inputting our Kali Linux local IP for the POST back result.
Then the path of the website, we need to include the path that we just saved the cloned PayPal login page. We will choose “copy the entire folder “ because we need the CSS & JS files of the webpage to be included in this case.
Over here we want the user to redirect to the original PayPal sign-in link after the user submitted the webform just to lower the suspicious level to make the user believe that they might entering the credential wrongly in previous page.
Now we’ve everything setup, let’s dive into another section which is generating our QR code.
Generating QR Code Redirecting to Phishing Link
Now we’ll utilize SEToolkit too for QR Code generation. We will choose option 8 “QRCode Generator Attack Vector”.
Then, we will input our machine IP to generate the malicious QRCode.
After we’ve successfully generated the QR Code, it will show the result that the QR code had been generated in the following path.
This is how it looks like initially, to make it looks more convincing we can search for PayPal payment templates from the internet.
In this case, we will use this PayPal payment template as an example.
Now after we use our image editor to edit the PayPal payment template to our malicious QR Code generated by SEToolkit, this is the final result looks like. As we expected the QR Code do looks alike, we can’t really identify it whether it’s real or not.
Start the Testing on User Scanning the Malicious QR Code
Now let’s do some setup before we start the QR Code phishing. The credential harvested result from SEToolkit will be saved into this “site.template” file. So we can use grep to get the specific parameter that contain the credential.
Now let’s use an user to demo the phishing result. First the user will just scan normally on the QR Code to made a payment with PayPal.
Then the user will be landing on a PayPal login page, but the problem is that the user doesn’t notice that this is a phishing page that we used to harvest the user credential.
So, the user just key in their credential normally and click on the “Log In” button.
The user will then be redirected to a original PayPal login page, this might confuse the user that probably they entered the wrong credential in the previous page.
In the attacker side, we’ve just harvested the PayPal credential that the user just entered without even the user notice.
How to Prevent Falling into Phishing QR Code Trap?
One of the technique to prevent you from falling into this phishing QR Code trap is to detect what is the QR code URL actually.
To do this we can use online QR code scanner to helps us to the trick. We can use pageloot QR code scanner to scan for the phishing QR code by uploading the QR code image.
As you can see that this phishing QR code actually redirect us into the IP address of “192.168.169.204” which is in our case is the fake PayPal login website that we’ve just hosted with SEToolkit.
By extracting the URL out from the QR Code, we can proceed further analysis on it like scanning it with virustotal, or made a comparison with the original PayPal domain name with the QR code domain name.
Conclude
So in order to prevent you from falling into this trap, always remember this word “Think Before You Scan”. This is very important as you don’t want yourself to fall into this sneaky trap which could lead your money getting stolen by the malicious actor right.
