A survey of the QR code phishing: the current attacks and countermeasures

Quick response (QR) code gained popularity and has been adapted for various applications such as a pointer to digital information and authentication. While the code gives convenience as a physical pointer to the digital world, it can be manipulated to divert the intended destination of the link to a malicious site. Thus, QR codes can be easily exploited by phishers to launch phishing attacks. Here, the current phishing attacks that utilise the QR code as a vector are surveyed and categorised. The recent countermeasures for such attacks are surveyed as well. It is also found that, current countermeasures are insufficient and face challenges like barcode-in-barcode attacks, high overhead solutions and limited data space in the code. In comparison to the amount of work done in web and email phishing detection, QR code phishing detection still inadequate. This paper hopes to shed light on the recent phishing attacks using QR code and the countermeasures proposed to tackle these attacks.

[1]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[2]  Lin Li,et al.  LWSQR: Lightweight Secure QR Code , 2018 .

[3]  Kevin Peng,et al.  Security Overview of QR Codes , .

[4]  Shruti Ahuja QR Codes and Security Concerns , 2014 .

[5]  Edgar R. Weippl,et al.  QR code security , 2010, MoMM.

[6]  Vasileios Mavroeidis,et al.  Quick Response Code Secure: A Cryptographically Secure Anti-Phishing Tool for QR Code Attacks , 2017, MMM-ACNS.

[7]  Sudhir Goswami,et al.  A way to secure a QR code: SQR , 2017, 2017 International Conference on Computing, Communication and Automation (ICCCA).

[8]  Flaminia L. Luccio,et al.  Usable cryptographic QR codes , 2018, 2018 IEEE International Conference on Industrial Technology (ICIT).

[9]  Edgar R. Weippl,et al.  QR Inception: Barcode-in-Barcode Attacks , 2014, SPSM@CCS.

[10]  Choon Lin Tan,et al.  A survey of phishing attacks: Their types, vectors and technical approaches , 2018, Expert Syst. Appl..

[11]  Tadayoshi Kohno,et al.  Analyzing the Use of Quick Response Codes in the Wild , 2015, MobiSys.

[12]  Faisal Razzak Spamming the Internet of Things: A Possibility and its probable Solution , 2012, ANT/MobiWIS.

[13]  Aurélien Francillon,et al.  Optical Delusions: A Study of Malicious QR Codes in the Wild , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[14]  Yarub A. Wahsheh,et al.  Secure QR code system , 2014, 2014 10th International Conference on Innovations in Information Technology (IIT).

[15]  Edgar R. Weippl,et al.  QR Code Security: A Survey of Attacks and Challenges for Usable Security , 2014, HCI.

[16]  Dongwan Shin,et al.  Towards preventing QR code based attacks on android phone using security warnings , 2013, ASIA CCS '13.

[17]  Nik Thompson,et al.  Are QR codes the next phishing risk , 2012 .

[18]  Edgar R. Weippl,et al.  QR Code Security -- How Secure and Usable Apps Can Protect Users Against Malicious QR Codes , 2015, 2015 10th International Conference on Availability, Reliability and Security.