3 min Security

Security systems struggle with malicious QR codes made from ASCII characters

Insight: Security

Security systems struggle with malicious QR codes made from ASCII characters

The number of phishing attempts using QR codes (quishing) is on the rise, according to Check Point Research. Also, malicious QR codes are increasingly composed of ASCII characters that fool optical character recognition systems because strictly speaking, they are not images, but text.

Check Point Research, the research arm of cyber security firm Check Point, reports that the number of QR code attacks has increased significantly this year. Between January and March 2024, researchers observed a 587 percent increase, with another 363 percent increase between April and May. These QR codes show up in emails that cybercriminals send to intended victims. They instruct them to scan the code to reset multifactor authentication because it will supposedly expire otherwise.

In reality, the QR code leads to a rogue website that might mimic the victim’s bank’s website, for example. Victims who get duped and leave their personal credentials at such a site might face terrible consequences.

QR codes made from ASCII characters are on the rise

In May, the researchers came across some 600 examples of a new type of quishing campaign, where the QR code is not in an image but made with ASCII characters and displayed via HTML. ASCII (American Standard Code for Information Interchange) is the most commonly used character encoding format for text data on computers and the Internet.

The example below shows the difference between a classic QR code (right) and a QR code based on ASCII characters. The distinction is subtle, but one is an image and the other was originally created via HTML. In an email, it looks like a ‘regular’ QR code at first glance. Note that the QR code below on the left is an image of an ASCII-based code.

Left: QR code from a phishing campaign. Right: standard QR code

Bypassing OCR tools

The QR codes based on ASCII characters manage to bypass security tools that use OCR (Optical Character Recognition) because they do not recognize it as an image and thus greenlight it as if it were plain text. “Security systems have a lot of trouble seeing and detecting these,” stated Zahier Madhar, cybersecurity engineer expert at Check Point.

“Quishing is hard to spot and often you can’t immediately see where a QR code leads. To protect against such attacks, it is best to opt for security that automatically decodes QR codes in emails and analyzes the URLs for malicious content,” Madhar advises. “In addition, there are programs that rewrite the embedded QR codes in an e-mail and replace them with a secure link.”

He adds that it is not enough to rely solely on security solutions on computers. After all, most QR codes are scanned with a cell phone. “Security has multiple layers and protecting every device and access route is important. Because phishing is getting smarter, these days you can’t do without advanced AI to look at multiple indicators of phishing.” Not coincidentally, Check Point offers such solutions, like through its own Infinity Platform.

Also read: Check Point Infinity AI Copilot helps with security