What is QRLJacking? |DROP Organization
Scanning random QR codes is a risky proposition nowadays, but a newly detailed social engineering attack vector named QRLJacking, is another risky layer to their use. Many web services provide an option of using QR codes to log into the accounts such as chat apps like WhatsApp and Weibo, email service QQ Mail, e-commerce services like Alibaba and Aliexpress and many more. What is QRLJacking? Quick Response Code Login Jacking (QRLJacking) is a method to trick users into effectively logging into an online account on behalf of the attacker by making them scan the wrong QR code. It is a simple social engineering attack vector which has enough potential of session hijacking. It affects all applications that require the “Login with QR code” feature as a secure way to log into accounts. In short, the victim scans the wrong QR of the attacker which results in session hijacking, where all the requirements of WhatsApp Web Application are stolen by the attacker. How is QRLJacking used? Initially the attacker begins with a client-side QR session and clones the Login QR Code into a phishing website “Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a victim.’ The attacker then sends the phishing page to the victim. The victim scans the QR Code with a Specific Targeted Mobile App, thus allowing the attacker to gain control over the victim’s account. This way all the data of the victim is exchanged with the attacker’s session. Implications of QRLJacking QRLJacking and Advanced Real Life Attack Vectors If we combine more than one vector together, we can get a better result than if we used a single. QRLJacking attack can be combined with powerful attack vectors and methods to make it more reliable and trustworthy. Below we have discussed some combined attack vectors: How can you defend against QRLJacking? It would be the best way to defend QRLJacking, if you stop using Login with QR code except where it becomes a necessary one. Besides, there are many ways to mitigate this issue and they can used together or standalone: Want to start your learning journey on Cyber Security and Ethical Hacking field?