Quishing - A Review of QR Code Attacks and a Framework Design for Safe Scanning
摘要
QR (Quick Response) codes are widely used nowadays in both physical and online environments for quickly sharing an extensive range of information (URLs, text, contact details, etc.). Quishing is a social engineering attack that uses QR codes to manipulate users to disclose sensitive data or to access malicious content. According to numerous security companies, the number of QR code attacks increased exponentially since the COVID-19 pandemic. This paper describes various attack types targeting or using QR codes as the attack vector. Their impact ranges from sensitive information disclosure to significant financial losses from fake payment links or crypto-wallet hi-jacking. The attack mechanisms are presented in detail, along with proposed protection methods. An innovative framework is proposed to use QR codes safely in various environments. It uses both technical methods (URL reveal, URL testing for malware against blacklists, etc.) and user vigilance awareness to develop a universal methodology that is applicable when scanning QR codes.