Quishing – QR Code Phishing Attacks to Steal Credential

Quishing – QR Code Phishing Attacks to Steal Credential

Aug 29, 2024 | 0 comments

Cybersecurity researchers are highlighting a new QR code phishing campaign, also known as “quishing,” which exploits Microsoft Sway’s infrastructure to host fraudulent pages. This case underscores the ongoing misuse of legitimate cloud services for malicious intent.

What is QR Code?

A QR (Quick Response) code is an image that can hold up to 7,089 numbers or 4,296 characters. Originally, QR codes were used as simple tags for tracking physical objects. In the 1990s, the Japanese car industry started using them to keep tabs on vehicles and parts during manufacturing. As technology advanced, QR codes became more versatile, allowing them to send information directly to smartphones when scanned.

What is QR Code Phishing (Quishing)?

A QR (Quick Response) code is an image that can hold up to 7,089 numbers Today, many tools are effective at spotting and blocking harmful links that might lead to phishing sites or malware. However, most of these tools can’t yet detect malicious QR codes, which has led cybercriminals to increasingly use them in their schemes. QR code phishing, or “quishing,” operates similarly to other phishing methods. It’s a social engineering tactic aimed at tricking people into revealing personal information, such as login credentials or financial details. Just like other phishing attacks, its main goal is to deceive individuals into providing sensitive information, including Social Security numbers, bank login details, or email passwords or 4,296 characters.

Originally, QR codes were used as simple tags for tracking physical objects. In the 1990s, the Japanese car industry started using them to keep tabs on vehicles and parts during manufacturing. As technology advanced, QR codes became more versatile, allowing them to send information directly to smartphones when scanned.

In a clever twist, attackers have now begun crafting QR codes using Unicode text characters instead of images,” SlashNext CTO J. Stephen Kowski said. “This new technique, which we’re calling ‘Unicode QR Code Phishing,’ presents a significant challenge to conventional security measures.” What makes the attack particularly dangerous is the fact that it entirely bypasses detections designed to scan for suspicious images, given they are composed entirely of text characters. 

Significant QR code vulnerabilities

  • In China, there were caught scammers who placed fake parking tickets with QR codes for convenient payment with the help of cell phones on parked cars.
  • In the Netherlands, fraudsters used a legitimate feature of a mobile banking app to scam bank customers with QR codes.
  • In Germany, fake emails containing QR codes lured eBanking customers to malicious websites under the pretext of reviewing privacy policy updates for their accounts.
  • In Texas, criminals pasted stickers with malicious QR codes to the city parking meters. This way, they tricked residents into entering credit card details into a fake phishing site.
  • Microsoft Sway, The cybersecurity firm said it observed a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages starting July 2024 with the ultimate goal of stealing users’ Microsoft 365 credentials. This is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the users to phishing websites.

How the Quishing (QR Phishing) Attack Works?

  • Creating Malicious Content: Attackers use Microsoft Sway, a legitimate web-based presentation tool, to create and host phishing pages. Sway allows users to design and share content easily, which can be exploited to create convincing fake webpages that mimic real services.

  • Generating QR Codes: Once the malicious content is hosted on Sway, attackers generate QR codes that link to these phishing pages. Since Sway is a reputable service, the URLs generated might appear more trustworthy compared to other, less known domains.

  • Distributing QR Codes: The attackers distribute these QR codes through various methods such as emails, social media, or physical printouts. Victims who scan the QR codes are redirected to the fake Sway pages that are designed to steal their personal information.

  • Harvesting Data: When victims interact with the fake pages and enter their sensitive information, such as login credentials or financial details, the attackers capture and exploit this data.

Why This Method is Effective?

  • Legitimacy of the Platform: Microsoft Sway is a well-known and trusted platform, so URLs from it are less likely to raise suspicion.
  • Ease of Use: Creating and publishing content on Sway is straightforward, making it accessible for attackers to set up phishing pages without needing deep technical expertise.
  • Deceptive Appearance: The phishing pages can be designed to closely mimic real websites, increasing the likelihood that users will fall for the scam.

QR Code Attacks Have Become a Significant Cybersecurity Concern.

  • The Fake Wi-Fi Network Scam: Cybercriminals place QR codes in public places, like cafes or airports, claiming to offer free Wi-Fi. Scanning the QR code connects users to a fake network, which can intercept sensitive information or redirect them to phishing sites.
  • Malicious Payment QR Codes: Attackers create QR codes that look like legitimate payment requests. When scanned, these codes redirect users to fake payment pages or apps that steal financial information or install malware.
  • Phishing for Personal Data: Fraudulent QR codes can direct users to fake login pages that mimic well-known services. The aim is to trick users into entering their credentials, which are then harvested by attackers.
  • Malware Distribution: QR codes can link to download sites for malicious software. When users scan the code and download the app or file, they inadvertently install malware that can compromise their devices and personal information.
  • Ransomware Attacks: Some QR codes are designed to lead to ransomware download sites. Once downloaded and executed, the ransomware encrypts the victim’s files and demands payment for the decryption key.
  • Credential Harvesting: Attackers use QR codes to direct victims to fake authentication pages for popular services. These pages collect login credentials, which can then be used to gain unauthorized access to accounts.
  • Social Engineering Scams: QR codes are sometimes used in social engineering scams where the code leads to a page that pretends to be an urgent message from a trusted entity, convincing victims to provide personal information or download harmful files.

How to Defend Against This Type of Attack?

  • Verify the Source: Be cautious of QR codes from unknown or untrusted sources. If you receive a QR code unexpectedly, verify its authenticity before scanning.

  • Inspect URLs Carefully: When redirected by a QR code, scrutinize the URL before entering any information. QR will often provide a preview of the link the code is pointing to. You should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method. 
  • Use Trusted Apps: Some security apps can scan QR codes and check URLs for safety before you open them. These apps can help identify potential threats.

  • Enable Security Features: Use web browsers or security tools that provide real-time phishing protection and block known malicious sites. Some security solutions also offer QR code scanning capabilities to check for potential threats.

  • Educate Yourself and Others: Awareness is crucial. Understanding the risks associated with QR codes and phishing can help you recognize and avoid these threats.

  • Be Cautious with QR Codes: Always be cautious when scanning QR codes, especially those received via unsolicited or suspicious channels. Verify the source and ensure you trust the origin of the QR code.
  • Report Suspicious Activity: If you encounter a QR code or a site that seems suspicious, report it to the relevant platform or service provider. For example, Microsoft has mechanisms to report misuse of their services.
  • Malicious QR codes may have poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate. 
  • Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question. 

By Ahmed Azeem
Res Opera DigiSolutions

I write about how to make your Internet browsing comfortable, Data Secure, and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Most Common User Threats and Vulnerabilities

Most Common User Threats and Vulnerabilities

Aug 28, 2024 | 0 comments

There are many ways that attackers can uncover vulnerabilities and exploit systems. Cyber threats can be classified into different categories. This allows organizations to assess the likelihood of a threat occurring and understand the monetary impact of a threat so that they can prioritize their security efforts. 

No Awareness of Security

Users must be aware of and understand an organization’s sensitive data, security policies and procedures, technologies, and countermeasures that are implemented in order to protect information and information systems.

Poorly Enforced Security Policies

All users must be aware of and understand an organization’s security policies, as well as the consequences of non-compliance.

Data Theft

Data stolen by users can pose a significant financial threat to organizations, both in terms of the resulting damage to their reputation and the legal liability associated with the disclosure of sensitive information.

Unauthorized Downloads and Media

Many network and device infections and attacks can be traced back to users who have downloaded unauthorized emails, photos, music, games, apps, or videos to their computers, networks, or storage devices. The use of unauthorized media such as external hard disks and USB drives also poses a threat.

Unauthorized VPNs

VPNs can hide the theft of unauthorized information because the encryption normally used to protect confidentiality can stop a network administrator from tracking data transmission (unless they have permission to do so).

Unauthorized Websites

Accessing unauthorized websites can pose a risk to a user’s data and devices, as well as the organization itself. Often, these websites prompt users to download scripts or plugins that contain malicious code or adware. Some of these sites can even take over user devices like cameras and applications.

Destruction of Systems, Applications or Data

The accidental or deliberate destruction or sabotage of systems, applications, and data poses a serious risk to all organizations. Activists, disgruntled employees, or industry competitors may attempt to delete data and destroy or misconfigure devices to make organizational data and information systems unavailable.

Always keep in mind that there are no technical solutions, controls, or countermeasures that will make information systems any more secure than the behaviors and processes of the people who use these systems.

Threats to Devices

Laptops, PC, Mac

  • Any devices left powered on and unattended pose the risk of someone gaining unauthorized access to network resources.
  • Downloading files, photos, music, or videos from unreliable sources could lead to the execution of malicious code on devices.
  • Cybercriminals often exploit security vulnerabilities within software installed on an organization’s devices to launch an attack.
  • An organization’s information security teams must try to keep up to date with the daily discovery of new viruses, worms, and other malware that pose a threat to their devices.

USB, Memory Stick

  • Users who insert unauthorized USB drives, CDs, or DVDs run the risk of introducing malware, or compromising data stored on their device.
  • Policies are in place to protect an organization’s IT infrastructure. A user can face serious consequences for purposefully violating such policies.
  • Using outdated hardware or software makes an organization’s systems and data more vulnerable to attack.

Threats to LAN

The local area network (LAN) is a collection of devices, typically in the same geographic area, connected by cables (wired) or airwaves (wireless).

Because users can access an organization’s systems, applications, and data from the LAN domain, it is critical that it has strong security and stringent access controls.

Threats to Cloud

The private cloud domain includes any private servers, resources, and IT infrastructure available to members of a single organization via the internet. While many organizations feel that their data is safer in a private cloud, this domain still poses significant security threats, including:

  • Unauthorized network probing and port scanning
  • Unauthorized access to resources
  • Router, firewall or network device operating system or software vulnerabilities
  • Router, firewall or network device configuration errors
  • Remote users accessing an organization’s infrastructure and downloading sensitive data

Threat Intelligence and Research Sources

The United States Computer Emergency Readiness Team (US-CERT) and the U.S. Department of Homeland Security sponsor a database of common vulnerabilities and exposures (CVE). These CVEs have been widely adopted as a way to describe and reference known vulnerabilities.

Each CVE entry contains a standard identifier number, a brief description of the security vulnerability, and any important references to related vulnerability reports. The CVE list is maintained by a not-for-profit, the MITRE Corporation, on its public website.

The Dark Web

This refers to encrypted web content that is not indexed by conventional search engines and requires specific software, authorization, or configurations to access. Expert researchers monitor the dark web for new threat intelligence.

Indicator of Compromise (IOC)

IOCs such as malware signatures or malicious domain names provide evidence of security breaches and details about them.

Automated Indicator Sharing (AIS)

Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of cybersecurity threat indicators using a standardized and structured language.  Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) are standards used in AIS.

Follow Knocktotalk Blog & Social Media to stay up to date with Technology.

Written By – Ahmed Azeem  (CEO and Founder: Res Opera DigiSolutions)

Global SMS Stealer Campaign Targets Android Devices Across 100+ Countries

Global SMS Stealer Campaign Targets Android Devices Across 100+ Countries

Jul 31, 2024 | 0 comments

A massive campaign targeting android device globally utilizes thousands of Telegram bots to infect devices with SMS-Stealing malware and steal One-Time Passwords (OTPs).

Zimperium Researchers discovered the operation and stated in their blog regarding the issue: “Android-targeted SMS stealer campaign that our zLabs team discovered and has tracked since February 2022. Since then, zLabs researchers have identified over 107,000 malware samples. Throughout this period, zLabs researchers have witnessed firsthand how the attacker has evolved the malware to stay current and effective. This highlights both the longevity and sophistication of the malware and the attackers behind the campaign.”

TELEGRAM BOTS

  • The SMS stealer is distributed Telegram bots that automate communications with the victim.
  • At first, victims are led to page imitating Google Play, showing enlarged download counts to create a false sense of trust.
  • On Telegram, the bots promise to provide the user a pirated application for the Android platform, asking for their phone number before they share the APK file.
  • The Telegram bot uses that number to generate a new APK, making personalized tracking or future attacks possible.

Source: Zimperium.com

Most of the victims of this campaign are based in India and Russia, while Brazil, Mexico, and the United States also have significant victim counts.

Source: knocktotalk.com

Zimperium Researchers uncovered a crucial link that highlights the financial motive behind this large-scale malware campaign. They discovered a connection between a website, fastsms.su, and one of the malware samples from this campaign. Fastsms.su allows visitors to purchase access to “virtual” phone numbers in foreign countries, which they can use for anonymization and to authenticate to online platforms and services.

Source: knocktotalk.com

Zimperium also discovered that the malware transmitting SMS messages from the infected device to a specific API endpoint on this domain. The malware actively searches for incoming messages originating from a global cloud email and office suite provider. This focus on messages from this service suggests a particular interest in intercepting one-time passwords (OTPs).

Source: zimperium.com

The Scale of the Campaign

The scale of this malware campaign is deeply shocking. Let’s take a look at some of the numbers zLabs researchers uncovered to truly understand the scale of this campaign:

  • Over 107,000 Unique Malware Applications
  • Over 95% of Malware Samples are Unknown or Unavailable
  • Over 60 Top-tier Global Brand Services Targeted
  • 113 Countries
  • 13 Command and Control (C&C) Servers
  • Extensive Telegram Bot Network

To avoid phone number abuse, avoid downloading APK files from outside Google Play, do not grant risky permissions to apps with distinct functionality, and ensure Play Protect is active on your device.

Stay alert and proactive in safeguarding your devices to reduce the risk of falling victim to such campaigns.  

FOLLOW KNOCKTOTALK TO STAY UP TO DATE WITH THE CYBER UPDATED AND SOLUTIONS.

CrowdStrike’s Sensor Issue – From Crises to Solution

CrowdStrike’s Sensor Issue – From Crises to Solution

Jul 27, 2024 | 1 comment

Last week a major IT news event created a buzz in the world of IT. CrowdStrike a well-known company which offers solutions like cloud workload protection, endpoint security threat intelligence and cyberattack response services had some issue. This issue caused the sensor to conflict with the Windows operating system that resulted in the infamous ‘Blue Screen of Death’, Technical Glitch. Approximately during a week they succeed to overcome the disruption, the Global IT Outage.

David Weston – Microsoft VP of Enterprise and OS Security described some facts about this Technology Glitch as, “We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.”

On Saturday, David Weston described his first responder” approach. Since the start, we engaged over 5,000 support engineers working 24×7 to help bring critical services back online. We are providing ongoing updates via the Windows release health dashboard, where we detail remediation steps, including a signed Microsoft Recovery Tool.

George Kurtz, CEO of Crowdstrik, showed gratitude to overcome the Situation: “I want to share that over 97% of Windows sensors are back online as of July 25. This progress is thanks to the tireless efforts of our customers, partners, and the dedication of our team”.

He apologized for the disruption and promised to resolve it on the urgent basis. He stated, “To our customers still affected, please know we will not rest until we achieve full recovery. At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted. While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”

Follow Knocktotalk to stay up to date with the Cyber Updates and Solutions.

What if someone create your intimated photo and threatening to share online?

What if someone create your intimated photo and threatening to share online?

Jul 26, 2024 | 1 comment

What do you do if someone create your nude/intimated photo using Photoshop or AI or any photo editing tools and threatening to share your intimated photos online?

By using AI and deepfakes, even an apparently intimated photo or video can be manipulated in unexpected ways. Be careful of what you share online especially when it comes to children’s data. Remember, anything you share online is Data.

Share the information with your friends and family by raising awareness and knowing where to go for help.  We can protect ourselves online from the spread of deepfakes.

Take It Down is for people who have images or videos of themselves nude, partially nude, or in sexually explicit situations taken when they were under the age of 18 that they believe have been or will be shared online. For example, maybe you sent a picture to someone, but now they’re threatening you or have posted it somewhere. Even if you’re unsure whether the image has been shared but want some help to try to remove it from places it may appear online, this service is for you. If there is an explicit image of you from when you were 18 or older, you can get help at StopNCII.

StopNCII.org is a project operated by the Revenge Porn Helpline. It introduces innovative technology that is used by tech companies to help people from becoming victims by preventing sharing of specific intimate images.

How StopNCII Works?

  1. Select any intimate image(s)/video(s) from your device.
  2. StopNCII will generate a digital fingerprint – called a hash – of the image(s)/video(s) on your device.Don’t Worry! Your identity will remain confidential. A hash will be sent from your device, but not the image/video itself. Your content will not be uploaded, it will remain on your device.
  3. If your case is created successfully, you will receive a case number to check your case status – remember to make a note of your case number along with the PIN, to access your case after it is submitted. This is not recoverable.
  4. Participating companies will look for matches to the hash and remove any matches within their system(s) if it violates their intimate image abuse policy.
  5. StopNCII will periodically continue to look for fingerprint matches on participating websites.
  6. You may use your case number to check the progress on your case at any time or withdraw it.

Take It Down is a free service that can help you remove or stop the online sharing of nude, partially nude, or sexually explicit images or videos taken of you when you were under 18 years old. You can remain anonymous while using the service and you won’t have to send your images or videos to anyone. Take It Down will work on public or unencrypted online platforms that have agreed to participate.

How Take It Down Works?

  1. Select the explicit image or video that you want hashed from your device and click on Get Started. Please do NOT send, share, or download any image or video in order to submit to Take It Down. Submissions should only be made for images or videos you already have on your device.
  2. For each image or video, Take It Down will generate a “hash” or digital fingerprint that can be used to identify an exact copy of that image or video.
  3. Your image or video remains on your device and is not uploaded. The hash is added to a secure list maintained by NCMEC that is shared only with participating online platforms who have agreed to use this list to scan their public or unencrypted sites and apps for the hashes of your explicit content.
  4. If an online platform detects an image or video on its public or unencrypted service that matches a hash value, it can take action to limit the spread of the explicit content!
  5. Please do not share the images/videos on any social media after you have submitted them here. Once the hash value for your image or video has been added to the list, online platforms may use them to scan their public or unencrypted services. If you post the content in the future, it may be flagged and could put a block on your social media account.

StopNCII Industry Partners:

Companies who will receive cases and hashes from StopNCII.org:

  • Facebook
  • Instagram
  • Threads
  • Tiktok
  • Reddit
  • Bumble
  • Pornhub
  • NIANTIC
  • ONLYFANS
  • SNAP INC

Follow Knocktotalk to stay up to date with the Cyber Updates and Solutions.

Chrome New Feature Scanning Files for Malicious Content

Chrome New Feature Scanning Files for Malicious Content

Jul 25, 2024 | 0 comments

“We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions,”

Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said.

To that point, the Google has introduced two categories of download warnings based on measures provided by Google Safe Browsing:

  • Suspicious files
  • Dangerous files

Each category comes with its own graphics, colors, and fonts to help set them apart from each other and help users make the right choice.

Google is also adding automatic deep scan for users who have opted into the enabled Safe Browsing security mode in Chrome to avoid being redirected to Safe Browsing for deep scanning before opening a file each time.

“In Standard Protection mode, downloading a suspicious encrypted archive will also trigger a prompt to enter the file’s password, but in this case, both the file and the password stay on the local device and only the metadata of the archive contents are checked with Safe Browsing,” it said.

STANDARD PROTECTION:

When you use Chrome, Standard protection is on by default, and you’ll receive warnings about sites, downloads, and extensions that have been identified as dangerous.

In order to hide your IP address when you visit a site, Chrome sends an obfuscated portion of the URLs you visit through privacy servers before they’re forwarded to Google. Neither Google nor the third-party operating the privacy server can see both the URL you’re visiting and your IP address. Google checks the obfuscated portion of the URL against Safe Browsing lists and warns you if the site is on one of the lists.

Standard protection:

  • Sends full URLs and bits of page content to Google only if a site does something suspicious.
  • Provides an option to help improve security for you and everyone on the web.
  • Provides an option to warn you if you use a password that’s been compromised in a data breach.

ENHANCED PROTECTION:

When you turn on Enhanced protection, you’ll receive warnings about potentially dangerous sites, downloads, and extensions, even ones Google didn’t previously know about.

When you visit a site, Chrome sends the URL of the site and a small sample of page content, extension activity, and system information to Google Safe Browsing to check if they’re potentially harmful, including in-depth scans of suspicious downloads. Info sent to Google Safe Browsing is only used for security purposes.

If you’re signed in to your Google Account, Safe Browsing protection extends across your Google services by saving this data to your Google Account — for example, Safe Browsing can increase protection in Gmail after a security incident.

Enhanced protection:

  • Improves security for you and everyone on the web.
  • Warns you if you use a password that’s been compromised in a data breach.
  • Doesn’t noticeably slow down your browser or device.

Change your Safe Browsing protection level

  1. On your computer/laptop, open Chrome.
  2. At the top right, select More More and then Settings.
  3. On the left, select Privacy and security > Security.
  4. Select the level of “Safe Browsing” you want to use.
    • Enhanced protection
    • Standard protection
    • No protection

For a more private and secure browsing experience, you can also review and manage your Advanced security settings. 

  1. On your Android device, open Chrome Chrome.
  2. Tap More More and then Settings Settings.
  3. Tap Privacy and Security > Safe Browsing.
  4. Select the level of “Safe Browsing” you want to use.
    • Enhanced protection
    • Standard protection
    • No protection
  1. On your iPhone or iPad, open Chrome Chrome.
  2. Tap More More > Settings Settings.
  3. TapPrivacy and Security > Safe Browsing.
  4. Select the level of “Safe Browsing” you want to use.
    • Enhanced protection
    • Standard protection
    • No protection

Found this article interesting?

Follow and Subscribe us to read more exclusive content we post.

Share
Share