QR Code Hacking - I Placed 'Malicious' QR Codes Around My Local Area - Here's Who I Caught.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right welcome to my dumb experiment in this experiment I set up quote unquote malicious QR codes to see how many people would scan these codes over the course of 5 days I got a total of uh 16 people not that many people these codes redirected to a website debu do. win informing individuals that they got debu do as you can see on my shirt uh and really just reviewing the dangers of QR code scanning well things that you don't know you're scanning so in this video let me tell you how I set up this experiment how many scans I got per day and maybe more of an advanced attack called qrl jacking in a demo that I'm going to do so let's start from the beginning I just learned what quing was it's literally QR code fishing thread actors can create QR codes and then use them to either bypass email filters on fishing emails impersonate Brands by redirecting users to their particular fishing Pages or even hijack user account sessions using qrl codes QR codes are all around us especially since Co we've seen restaurants use them stores TV commercials and many more venues knowing all this I thought to myself how could I test this effectiveness of quing myself well uh by posting Flyers all around my local area to see who I would exactly catch and this is exactly what I did to make this experiment effective I did three things to do I had to generate a QR code Cod I had to create a static website that redirects users and I had to print some paper flyers I started with the website using a previously registered domain dewin I decided to set up a free Cloud Player Pages website using GitHub to serve my static HTML page for the web page I included the infamous deoda logo as well as a small message informing users on the dangers of scanning random QR codes next was the paper flyer or quote unquote lures so I decided to create three different types of paper Flyers one was a blank page with a little scan me code the second was a free lottery ticket impersonating my local States uh lottery ticket organization this is rather dumb and obvious and then I'm kind of proud of myself on this one you had a free car wash uh with a popular car wash service around my local area with these paper flyers I had to proceed with c I didn't want to get in trouble impersonating these brands logos or their names so I made sure to modify their logos or even just use their color schemes uh and I also realized that when I was creating these paper Flyers this was kind of a mean thing to do like you know you're getting a free car wash or a free lottery ticket you scan and then it's just debah like who wants that uh and so I was contemplating whether you should even create this video cuz I I don't want to come off as being like some some sort of jerk uh um but I decided to proceed forward with it as a more of an awareness campaign of realizing that you know you always need to make sure that well or be aware of this attack Vector now you also may be thinking here uh Grant your your opsc you just literally gave up your State's location like you know Regional Car Wash and my response is I'm one Google search away from seeing my general location so I just decided to proceed forward to transition to the final thing I needed it was a QR code and during my research I learned that there are two types of QR codes Dynamic and static as in name suggest a static QR code it's just going to redirect you to a website a dynamic QR code can be changed uh so that it will redirect you to various websites even if you're using the same QR code when you scan a QR code on your phone the URL will typically pop up on your phone's camera to show where it's going this is good uh but I realized that this was going to be an issue deceiving people in my end because my domain is dwin not free car wash so uh I decided to sign up for a service called QR code generator by bitly so that when generating these QR codes it read it starts with redirecting you to a website called QR code. de and then with this it will actually redirect you to dwin this makes it look like something that's more generic rather than an obvious domain name and and in addition this allowed me to track how many people scanned the QR code now this means they did have to click on that particular link it wasn't just scanning and then not doing anything after laying the foundations of my experiment it was time it was time to put up these local Flyers around my local area so I printed the flyers I looked like a lunatic as I was going around with uh tape and flyer papers on my daily run people probably were like looking at me like why is this kid doing this stuff and to that I say yes so I tried not to look conspicuous but you know this was like during rush hour traffic I'm sure people were looking at me as being an idiot I attempted to place the Flyers around high traffic areas with pedestrians uh so I I hung them up on trails and stop lights uh where pedestrians maybe are exercising running running riding bikes and uh I made sure to put three of each of the Flyers out there uh and that was it I laid the foundations it was waiting time so over the course of 5 days like I said 16 people so let's just see what the results actually look like all right so up on QR code generator I signed up for the free 14-day trial and I was able to uh go ahead and get this QR code as you can see it has 16 total scans de. win is where it redirects if we drill into the details it gives you a little bit more uh information on the who scanned which devices were scanned and the timeline so it appears that April 25th during my 5-day experiment had the most with 10 total scans and you can see the scans by top cities and here they are I don't think that that that's very accurate and this is basically what you get with a dynamic QR code so very anticlimactic results here now during my research of quing I stumbled upon a more advanced attack that actually hijacks a user's session and allows attacker to take control over that user account this attack is called qrl jacking if you are a user of popular applications such as Discord it's the one that comes to mind for me you may have noticed that some websites and applications give you an option to sign in with a QR code now this QR code is nothing more than just a session token so qrl jacking takes advantage of this process by performing a session hijack uh with that login with the QR code so that the uh attacker is able to take control over that user's account while I was conducting my research and just looking into how QR jacking works I stumbled upon an open source project called evil QR by uh Kuba grety the Creator and founder of evil Jinx 2 okay so up on the GitHub page of evil QR like I said this was the author of evil Jinx so this is a highquality tool it was released July of 2023 so relatively new and now going through these instructions you can see that here are the following websites that are supported I proceeded to go through these instructions and one of the steps is to actually have you download and install a browser extension for Google Chrome after following the instructions on GitHub you will basically run a small little web server that's going to impersonate the uh attacker domain so right now I'm just using my local address here switching over to Google Chrome uh I have a few tabs open one is the page for wherever you're trying to sign in so for example I'm using telegram here this is how you can sign in with a QR code and if we go ahead and just refresh this new QR code will pop up and you're going to see this icon on the top right and this is evil QR if you click this it's going to basically capture this specific QR code sign in and it's going to upload this to a fishing website now like I said in my case it's going to be my local address and it appears that since the release of this particular tool um it's it hasn't had much support so up on the screen here is what the fishing website should look like so it actually dynamically changes the colors the color scheme uh but for some reason I could not figure out how to render that particular fishing website it does appear other users also have had issues if we actually take a look at the content here you're going to see that this is an image and so what I've done is basically copied all of this content here this base 64 encoded content and if you go to a base 64 image decoder we can see that this is the particular QR code that has been captured now these QR codes uh are typically only valid for 30 seconds or only a certain amount of time so really the attack scope is pretty limited here um and you would have to basically get a user to sign in with their phone on this particular QR code in order for you to control their account uh and so it it the complexity or uh relative ease is pretty high but it is an attack Vector nonetheless so overall quing qrl hijacking these are interesting attack vectors um I think that the severity of quing in particular is limited as most users with scanning QR codes are probably just going to go to a restaurant menu um but if they are entering into their credentials into a fishing page that's just another way that attackers can gather credentials so another debah experiment in the books uh there is debah shirts available if you want those I don't know and uh well until the next day have a good day you know what that means

Info

Channel: Grant Collins

Views: 36,871

Rating: undefined out of 5

Keywords:

Id: 5m1v43RvPUg

Channel Id: undefined

Length: 10min 41sec (641 seconds)

Published: Wed May 08 2024