A new report out today from cybersecurity company INKY Technology Corp. is sounding the alarm over a new wave of phishing threats that use QR codes in increasingly dangerous and deceptive ways, including leveraging embedded JavaScript payloads that execute instantly upon scanning, with no link clicks required.

QR code-based phishing, or “quishing,” is not new. INKY itself warned about its growing prominence back in 2023, but forward two years and INKY says that attackers are now going a step further by embedding raw HTML and JavaScript into QR codes using data uniform resource identifiers.

The new quishing methodology differs from traditional QR threats that redirect users to malicious websites and instead include payloads that execute entirely within the browser, hijacking login pages, capturing keystrokes and even launching exploits as soon as a user scans the code. Often, users don’t even need an active internet connection if the payload is self-contained.

The new technique sees attackers embed base64-encoded HTML in the QR code itself. When scanned by a mobile camera or QR scanning app, the code is automatically opened in the system browser and executed.

Once the QR code has been scanned and has become active, malicious JavaScript can then simulate login portals, exfiltrate data via hidden forms and fingerprint devices for further exploitation. The QR codes also evade standard email security tools, proxies and threat intelligence systems, as the payload is embedded in the code and never touches an external URL, at least when initially executed.

The report highlights the open-source Backdooms project, an HTML5 implementation of the computer game “Doom” that can be fully embedded in a QR code, as an example that demonstrates how advanced compression and encoding techniques can turn QR codes into executable delivery systems. INKY warns that threat actors are already using similar methods to hide malware and evade detection.

With the methodology used likely to grow in prominence, INKY recommends that organizations should train users to avoid scanning unsolicited QR codes, disable automatic browser opening in QR scanning apps, and report suspicious emails to security teams.

Image: SiliconANGLE/Reve