In the evolving landscape of cybersecurity, adversaries are continually seeking innovative methods to bypass traditional security measures. One such method gaining traction is the use of QR codes. At first glance, QR codes appear as benign tools for quick access to websites or information. However, their inherent characteristics offer unique advantages for cyber threats, particularly in evading detection. Here’s why:
在不断发展的网络安全格局中,对手不断寻求创新方法来绕过传统安全措施。一种越来越受欢迎的方法是使用 QR 码。乍一看,二维码似乎是快速访问网站或信息的良性工具。然而,它们的固有特性为网络威胁提供了独特的优势,特别是在逃避检测方面。原因如下:
1. Concealed URLs: Unlike traditional links where the destination is visible and can be scrutinized for legitimacy, QR codes mask the underlying URL. This obscurity allows malicious links to bypass initial human scrutiny, making them perfect trojans for phishing attacks.
1. 隐藏 URL:与目标可见且可以检查合法性的传统链接不同,二维码掩盖了底层 URL。这种模糊性使得恶意链接能够绕过最初的人工审查,从而使其成为网络钓鱼攻击的完美木马。
2. Evasion of Traditional Security Solutions: Many security systems are designed to scan and filter text-based content, such as emails and websites, for malicious links. QR codes, being graphical, do not fit into this text-based analysis, allowing them to slip through these defenses unnoticed.
2. 规避传统安全解决方案:许多安全系统旨在扫描和过滤基于文本的内容(例如电子邮件和网站)中的恶意链接。二维码是图形化的,不适合这种基于文本的分析,从而使它们能够在不被注意的情况下绕过这些防御。
3. Bypassing Awareness Training: With extensive awareness around clicking on suspicious links, users have become more cautious. QR codes, however, exploit a gap in this awareness. The novelty and technological engagement encourage users to scan them, often bypassing the caution exercised with clickable links.
3.绕过意识培训:随着对点击可疑链接的广泛认识,用户变得更加谨慎。然而,QR 码利用了这种意识的空白。新颖性和技术参与鼓励用户扫描它们,通常会绕过可点击链接的警告。
4. Targeted Mobile Exploitation: QR codes are predominantly scanned by mobile devices, which might not always be equipped with the same level of security as desktop systems. This makes them a strategic choice for targeting the mobile ecosystem, from stealing personal data to injecting malware.
4. 有针对性的移动利用:二维码主要由移动设备扫描,移动设备可能并不总是配备与桌面系统相同级别的安全性。这使它们成为针对移动生态系统的战略选择,从窃取个人数据到注入恶意软件。
5. Leveraging Physical and Digital Realms: QR codes uniquely bridge the physical and digital worlds. They can be placed anywhere, from posters to digital screens, reaching audiences outside the scope of digital-only strategies and evading digital tracking or filtering systems.
5. 利用物理和数字领域:QR 码以独特的方式连接物理世界和数字世界。它们可以放置在从海报到数字屏幕的任何地方,接触到纯数字策略范围之外的受众,并逃避数字跟踪或过滤系统。
EvilGophish Weaponization
EvilGophish 武器化
Now that we have a solid understanding of why adversaries might want to use QR codes in a social engineering campaign, let’s talk about weaponizing it ourselves using EvilGophish. This is a new feature only available to sponsors. To become a sponsor, select the appropriate tier from my list of tiers that will grant you access to the private Sponsors repository on GitHub Sponsors here.
现在我们已经充分了解为什么对手可能想要在社会工程活动中使用二维码,让我们来谈谈使用 EvilGophish 将其武器化。这是一项仅向赞助商提供的新功能。要成为赞助商,请从我的级别列表中选择适当的级别,这将授予您访问 GitHub 赞助商上的私人赞助商存储库的权限。
EvilGophish Implementation
EvilGophish 实施
I was thinking about how I could implement this feature so that it was as convenient as possible for an operator and I wanted to give operators full control over how QR codes would be inserted into emails. On top of this, I wanted the feature to be as potent and effective as possible. This meant putting in some thought as to how I was going to implement this. Instead of placing the images at the end of emails by default and removing a certain amount of control for operators or even including the images as attachments, I decided to create a new template variable for email templates {{.QR}}.
我正在考虑如何实现此功能,以便操作员尽可能方便,并且我想让操作员完全控制如何将二维码插入电子邮件中。最重要的是,我希望该功能尽可能强大和有效。这意味着我要思考如何实施这一点。我决定为电子邮件模板 {{.QR}} 创建一个新的模板变量,而不是默认将图像放在电子邮件末尾并取消操作员的一定控制,甚至将图像作为附件包含在内。
This will put the QR code as an inline image wherever you place the template variable, allowing full control for the operator as to where the image will be placed when the victim views the email. By placing the images inline, they are also more likely to be viewed or scanned rather than being included as a rogue attachment or a place in the email that doesn’t align with the pretext. The control over placement can also increase effectiveness. If there was not the ability to control the placement of the images, then the image may not fit certain pretexts or the amount of pretexts taking advantage of this feature would be more limited. Speaking of reducing limitations, operators also have full control over the height and width of included QR code images, allowing total customization when weaponizing this attack with EvilGophish. I figured this would be the easiest, most potent way for operators to use this new feature and would give operators the most amount of control.
无论您在何处放置模板变量,这都会将 QR 码作为内联图像,从而允许操作员完全控制受害者查看电子邮件时图像的放置位置。通过将图像内联放置,它们也更有可能被查看或扫描,而不是作为恶意附件或电子邮件中与借口不符的位置包含在内。对放置的控制也可以提高效率。如果无法控制图像的放置,则图像可能不适合某些借口,或者利用此功能的借口数量将更加有限。说到减少限制,操作员还可以完全控制所包含的 QR 码图像的高度和宽度,从而在使用 EvilGophish 武器化此攻击时允许完全定制。我认为这将是操作员使用这一新功能的最简单、最有效的方式,并且会给操作员最大程度的控制权。
The image below demonstrates including the new template variable inside of a HTML email template. This is the first step for using this new feature for an email campaign within EvilGophish.
下图演示了在 HTML 电子邮件模板中包含新的模板变量。这是在 EvilGophish 中使用此新功能进行电子邮件活动的第一步。
使用新的 {{.QR}} 模板变量的 HTML 电子邮件模板
The next step in the process would be to configure the size of the QR code images when starting a new campaign. Leave the QR Code Size option blank if you wish to run a standard campaign without QR code images.
该过程的下一步是在开始新活动时配置二维码图像的大小。如果您希望运行没有 QR 码图像的标准营销活动,请将 QR 码大小选项留空。
指定 QR 码大小的营销活动配置
At this point, every email recipient will receive an email containing a QR code image with their phish URL including their unique identifiers for campaign tracking statistics. When scanned, the device performing the scanning will open its browser application to the evilginx server URL for MFA bypass campaigns. This test was simply pointing to Google, which can be verified if you scan the QR code below. The screenshot below shows a sample of what victims will receive.
此时,每个电子邮件收件人都会收到一封包含 QR 码图像的电子邮件,其中包含其网络钓鱼 URL,其中包括用于活动跟踪统计数据的唯一标识符。扫描后,执行扫描的设备将打开其浏览器应用程序,访问 evilginx 服务器 URL,以进行 MFA 绕过活动。本次测试只是简单指向Google,扫描下方二维码即可验证。下面的屏幕截图显示了受害者将收到的内容示例。
收到的电子邮件中内嵌二维码图像
And that’s it for weaponization using EvilGophish!
这就是使用 EvilGophish 的武器化!
Conclusion 结论
Implications: The strategic use of QR codes by adversaries underscores a critical need for adaptive security strategies. It highlights the importance of extending cybersecurity awareness to include newer technologies and their potential misuse. As the digital landscape evolves, so too must our vigilance and defenses.
影响:对手对二维码的战略性使用凸显了对自适应安全策略的迫切需求。它强调了扩大网络安全意识以涵盖新技术及其潜在滥用的重要性。随着数字环境的发展,我们的警惕和防御也必须如此。
Takeaway: In the arms race of cybersecurity, awareness and adaptation are our best defenses. Understanding the why and how behind the use of technologies like QR codes for malicious purposes empowers us to better protect ourselves and our organizations.
要点:在网络安全的军备竞赛中,意识和适应是我们最好的防御措施。了解二维码等技术用于恶意目的的原因和方式使我们能够更好地保护自己和我们的组织。
原文始发于fin3ss3g0d’s Blog:QR Code Phishing with EvilGophish
相关文章
