Novel phishing techniques to evade detection: ASCII-based QR codes and ‘Blob’ URIs

Even the most sophisticated phishing campaigns face failure if they cannot get past security defenses, so it is not surprising that cyberattackers continue to try out new techniques that might help them to avoid detection.

In this blog, we highlight two novel evasive techniques detected recently by Barracuda threat analysts.

The first involves QR code that instead of being a static image is built from combinations of ASCII/Unicode ‘block ( █ )’ characters. This tactic is designed to prevent security software from extracting the malicious URL from the QR code.

The second technique involves the use of ‘Blob’ (binary large object) uniform resource identifiers (or URIs), which access locally generated data within the browser rather than relying on known malicious domains. These Blob URIs are created dynamically and can expire quickly, which makes them challenging to track and analyze. Additionally, because some security controls do not scrutinize Blob URIs as thoroughly as they would more traditional HTTP or HTTPS links, phishing attempts using such URIs can bypass initial detection mechanisms.

A new generation of malicious QR codes

A year ago, the volume of  QR code-based phishing attacks suddenly increased. Barracuda data shows that around 1 in 20 mailboxes were targeted with QR code attacks in the last quarter of 2023. 

These attacks generally involved static, image-based QR codes. Attackers embedded malicious links into the QR code and encouraged users to scan the code, which would then take them to a fake page that appeared to be a trusted service or application.

Security measures quickly adapted. Tools such as optical character recognition (OCR) scanning can extract, check for, and block malicious URLs in QR codes.

Barracuda threat analysts have identified a new generation of QR code phishing, designed to evade OCR-based defenses. In these attacks, the QR code ‘image’ is created out of ASCII/Unicode characters.

In an email, it will look like a traditional QR code. To a typical OCR detection system, it appears meaningless.

Example 1

The phishing attack appears to be a ‘Payroll and Benefits Enrolment’ file shared by Admin. When an unsuspecting recipient scans the QR code and clicks the link, it will take them to a fake Microsoft login page.

A closer look at the QR code reveals a line between each block. This is because the QR code is not an image but has been carefully constructed using ‘full block’ or ‘█’.

The QR code is a 49x49 matrix of ‘full block’ (█). To make it look like convincing QR code, wherever white patches are needed in the QR code, Cascading Style Sheet (CSS) is used to make the text color of the block characters fully transparent, rendering them invisible.

Example 2

In this instance, the attacker tries to impersonate the courier company DHL and asks the recipient to fill out a form by scanning the QR code. When the QR code is scanned, it redirects the victim to a phishing site.

The QR code is built using a combination of the Unicode characters: ‘Lower Half Block’ (0x2584) for the horizontal lines, and ‘Full Block’ (0x2588) for the vertical lines. In this case, to create the white patches in the QR code, ‘non-breaking space’ (nbsp) is used.

A multitude of combinations

As the above examples show, there are several ways to represent a ‘block’ using the ASCII or Unicode character set.

In fact, there are 32 distinct ‘block’ characters, in three main categories:

• Full Blocks - 3
• Partial Blocks - 17
• Quadrants - 12

These can each be encoded in phishing emails using HTML Entity, UTF-8 Encoding, or UTF-16 Encoding. In other words, there are 96 possible combinations.

The table below outlines the different ways ‘block’ characters can be used in phishing pages:

Additionally, in the case of HTML Entities, each ‘block’ can have multiple representations, and attackers can use single blocks or block combinations to generate their ASCII/Unicode-based QR codes. This all increases the total number of possible combinations and makes ASCII-based QR codes challenging to detect.

Barracuda recommends that if security technologies flag the potential use of ASCII QR code in a phishing attack, the easiest option is to take a screen shot of the phishing email and pass it to OCR engine to read the URL behind the QR code.

The evasive potential of Blob URIs

A Blob URI (also known as a Blob URL or an Object URL) is used by browsers to represent binary data or file-like objects (called Blobs) that are temporarily held in the browser’s memory.

Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, without having to send or retrieve it from an external server.

Because Blob URIs don’t load data from external URLs, traditional URL filtering and scanning tools may not initially recognize the content as malicious.

Attackers create phishing pages using Blob URIs in the hope of making it harder for detection systems to identify and block malicious content.

The first example of a phishing attack using Blob URIs seen by Barracuda’s threat analysts attempted to impersonate Capital One, inviting the user to click ‘Review Your Account.’ This redirects them to an intermediate phishing page, which creates a Blob URI and quickly redirects the browser to the newly created link address. 

The Blob URI presents the fake CapitalOne login page to the victim.

Threat analysts have also noticed the Blob URI technique being used in phishing attacks impersonating Chase and Air Canada.

Conclusion

Evasive phishing techniques have advanced significantly, and they present a growing threat to organizations. Cyberattackers constantly refine their methods to circumvent traditional security measures. As phishing attacks become more sophisticated, it is essential to implement multilayered defense strategies and foster a strong security culture.

Megharaj Balaraddi, Associate Threat Analyst at Barracuda also contributed to the research for this blog post.