![]() The extension supports extracting QR codes rendered as CANVAS, IMG, SVG or even DIV (by taking a screenshot with html2canvas library). Evil QR browser extension can detect and extract QR codes, within websites, no matter how they are rendered. You can find the open-sourced Evil QR toolkit on my GitHub if you're interested in trying it out yourself.Īs you can see below, the Evil QR attack can be customized using personalized phishing pre-text, with dynamic updates, for every website separately. ![]() To demonstrate this interesting phishing technique, I've developed a set of proof-of-concept tools for demonstration purposes. Evil QR idea is just a spin-off of the same idea. The technique was later officially recognized as QRLJacking and also released a QRLJacker tool in 2020 to demonstrate how such attacks can be executed. The concept of phishing users with sign-in QR codes is not new and it has been broadly documented by Mohamed Abdelbasset Elnouby from Seekurity in 2016! I highly recommend you read this post as it covers a lot of information about the potential attack vectors, which could be used to pull off such attacks. Once the target successfully scans the QR code, the attacker takes over the phished account. The phishing page, hosted by the attacker, dynamically displays the most recent sign-in QR code controlled by the attacker.Using the Evil QR browser extension, the attacker is able to extract the sign-in QR code from the login page and upload it to the Evil QR server, where the phishing page is hosted.The attacker opens the official Discord login page within their web browser to generate the sign-in QR code.Here is the step-by-step process of what the attacker did to pull off this phishing attack, using the Evil QR toolkit. All this without realizing, you've just given the attacker full access to your account. You lose interest and go back to your other activities. Once you approve the login attempt, the website redirects you to the Discord server page. You think that it makes sense that you need to be signed in to join the Discord server, so you agree without hesitation. Discord asks you to confirm if you want to sign in, using the scanned QR code. Since you are pretty excited to join, you open your Discord application and scan the QR code, showing up on the screen of your PC. You click the link and the following website shows up in your web browser: Phishing page deployed and hosted by the attacker All you need to do is open the attached link and scan the QR code with your Discord application. One day you receive an email, telling you that you've been granted exclusive access to a private Discord server, where highly valuable information will be shared, among the participants. ![]() Now let's imagine if there is any potential way, attackers could convince users to scan the QR code with the session token they control. ![]() Try to scan any of these QR codes with your phone's camera and you'll see the code translates into a unique string, usually presented in URL format. The QR code, displayed on every sign-in page, is nothing more than a dynamically generated session token, which you can authorize with your mobile application, to pair it with your account. To sign in, you open the mobile application, navigate to "Scan QR code", usually residing somewhere within your profile settings, in the mobile application, and scan the QR with your phone camera. Discord Telegram Whatsapp Steam TikTok Binance Here are the most popular websites, you can sign into, in any web browser, by scanning a QR code within the mobile application. This method is especially convenient if you have a mobile app, on your phone, corresponding to the web application you are trying to sign into, in your web browser. In recent years, I've noticed that more and more web applications begin to offer a new way to sign in - through QR code scanning. If you want a quick TL DR rundown of what this blog post is about, check out the demo video I prepared: Background Today I'm publishing the research I started to work on last year, but I was too busy with the Evilginx Mastery course, to publish it, at the time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |