How Multi-Stage Phishing Attacks Make Use Of QRs, CAPTCHAs, and Steganography

Nov 21, 2023 The Hacker NewsCybercrime/ Malware Analysis Phishing attacks are steadily ending up being more sophisticated, with cybercriminals buying new methods of tricking victims into exposing delicate information or setting up harmful software application. One of the current trends in phishing is using QR codes, CAPTCHAs, and steganography. See how they are performed and…

become a popular
weapon for cybercriminals in 2023. By concealing malicious links within QR codes, assailants can evade conventional spam filters, which are mainly geared towards determining text-based phishing efforts. The failure of many security tools to figure out the content of QR codes further makes this method a go-to option for cybercriminals. An email containing a QR code with a malicious link
Examining a QR code with an embedded harmful link in a safe environment is simple with ANY.RUN:
Just open this task in the sandbox (or upload your file with a QR code).
Navigate to the Fixed Finding section (By clicking the name of the file in the top right corner).
Select the object consisting of the QR code.
Click “Submit to Evaluate.”
The sandbox will then immediately release a new task window, allowing you to analyze the URL determined within the QR code.
Black Friday Deal
Take advantage of ANY.RUN’s Black Friday Offer
Purchase an annual Searcher or Hunter plan membership and get another for your colleague completely complimentary of charge. Readily available November 20-26.
Get It Now

CAPTCHA-based attacks

CAPTCHA is a security solution used on websites to prevent automatic bots from developing phony accounts or submitting spam. Attackers have actually handled to exploit this tool to their benefit.

< img data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh5LWxocfKh-gyRfWRniZGLdEqMbx8oIhe02YwPAGrZSFvSL6FMNG3Z8rlRWyau-YNoD5y83tZSypC3rodfJ4nncDFPm9Q6vflRVoGmUhii6P9XezMdWtBkM5HB0uDqG1wRKrupK5f5ofXmOD7mIH8m2tgSyl04pxZ04fNSP8VI6EtnXGwLVc_I1UDnzw/s728-rw-ft-e30/image_2.png"src="image/png; base64, iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII =" alt= "Phishing Attacks"/ > A phishing attack CAPTCHA page displayed in the ANY.RUN sandbox Opponents are progressively utilizing CAPTCHAs to mask credential-harvesting forms on fake websites. By generating hundreds of domain utilizing a Randomized Domain Produced Algorithm (RDGA) and implementing CloudFlare’s CAPTCHAs, they can efficiently conceal these forms from automatic security systems, such as web crawlers, which are unable to bypass the CAPTCHAs.

< img data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQN0_-jPz_3rXkVOrlF6q_YeZDP8qXbWA9trof1sK6YFOwgSqah_boutsVQ0pM2LqEUGwicbUh26FXRCu36Pq3jd12k6qOaZ6FKVCkxaCJxPZ8SVoMJyyR8MvHb5fH_MblvsM5QBWhw5E-yKwr89p_D8abIWR5dEB1PU4q3e9eQJfTe2avN7RB0DKGT4/s728-rw-ft-e30/image_3.png"src ="image/png; base64, iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII="alt="Phishing Attacks"/ > A fake Halliburton login page The example above shows an attack targeting Halliburton Corporation employees. It first requires the user to pass a CAPTCHA check and after that utilizes a reasonable Office 365 private login page that is challenging to differentiate from the genuine page.

As soon as the victim enters their login credentials, they are redirected to a legitimate site, while the attackers exfiltrate the qualifications to their Command-and-Control server.

Discover more about CAPTCHA attacks in this post.

Steganography malware campaigns

Steganography is the practice of hiding data inside various media, such as images, videos, or other files.

A typical phishing attack that utilizes steganography begins with a thoroughly crafted email created to appear genuine. Embedded within the email is an accessory, typically a Word file, accompanied by a link to a file-sharing platform like Dropbox. In the example listed below, you can see a fake e-mail from a Colombian government company.

< img data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsCQEXrAAPmKbgLKtrqkxVLSpQBMLO1tOAViOYGXb-BbO62Oxrx0VHN-ig7flRkaHsjfwWe5KPyA3dZDY3tYt6bx6tghI6vVbzX_HPtZVxBrHPlhmpu9cqiOs7hPJbdBFIxxgqjO6XYEaE8MVTjmDmntKZylZG0IxcZAS469Tva8xOvpNt8cjv5pHj5rE/s728-rw-ft-e30/image_5.png" src ="image/png; base64, iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII ="alt= "Phishing Attacks"/ > A phishing email is usually the very first stage of an attack The unsuspecting user that clicks the link inside the file downloads an archive, which includes a VBS script file. Upon execution, the script recovers an image file, relatively harmless but containing concealed harmful code. As soon as carried out, the malware infects the victim’s system.

To understand how steganography attacks are carried out and discovered, check out this short article.