How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography

Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.


Quishing, a phishing technique resulting from the combination of “QR” and “phishing,” has become a popular weapon for cybercriminals in 2023.

By concealing malicious links within QR codes, attackers can evade traditional spam filters, which are primarily geared towards identifying text-based phishing attempts. The inability of many security tools to decipher the content of QR codes further makes this method a go-to choice for cybercriminals.

Phishing Attacks
An email containing a QR code with a malicious link

Analyzing a QR code with an embedded malicious link in a safe environment is easy with ANY.RUN:

  1. Simply open this task in the sandbox (or upload your file with a QR code).
  2. Navigate to the Static Discovering section (By clicking on the name of the file in the top right corner).
  3. Select the object containing the QR code.
  4. Click “Submit to Analyze.”

The sandbox will then automatically launch a new task window, allowing you to analyze the URL identified within the QR code.

CAPTCHA-based attacks

CAPTCHA is a security solution used on websites to prevent automated bots from creating fake accounts or submitting spam. Attackers have managed to exploit this tool to their advantage.

Phishing Attacks
A phishing attack CAPTCHA page shown in the ANY.RUN sandbox

Attackers are increasingly using CAPTCHAs to mask credential-harvesting forms on fake websites. By generating hundreds of domain names using a Randomized Domain Generated Algorithm (RDGA) and implementing CloudFlare’s CAPTCHAs, they can effectively hide these forms from automated security systems, such as web crawlers, which are unable to bypass the CAPTCHAs.

Phishing Attacks
A fake Halliburton login page

The example above shows an attack targeting Halliburton Corporation employees. It first requires the user to pass a CAPTCHA check and then uses a realistic Office 365 private login page that is difficult to distinguish from the real page.

Once the victim enters their login credentials, they are redirected to a legitimate website, while the attackers exfiltrate the credentials to their Command-and-Control server.

Learn more about CAPTCHA attacks in this article.

Steganography malware campaigns

Steganography is the practice of hiding data inside different media, such as images, videos, or other files.

A typical phishing attack that employs steganography begins with a carefully crafted email designed to appear legitimate. Embedded within the email is an attachment, often a Word document, accompanied by a link to a file-sharing platform like Dropbox. In the example below, you can see a fake email from a Colombian government organization.

Phishing Attacks
A phishing email is typically the first stage of an attack

The unsuspecting user that clicks the link inside the document downloads an archive, which contains a VBS script file. Upon execution, the script retrieves an image file, seemingly harmless but containing hidden malicious code. Once executed, the malware infects the victim’s system.

To understand how steganography attacks are carried out and detected, check out this article.

Expose phishing attacks with ANY.RUN

ANY.RUN is a malware analysis sandbox that is capable of detecting a wide range of phishing tactics and letting users examine them in detail.

Check out ANY.RUN’s Black Friday Offer, available November 20-26.

The sandbox offers:

  • Fully interactive Windows 7,9,10,11 virtual machines
  • Comprehensive reports with IOCs and malware configs
  • Private analysis of an unlimited number of files and links

Related Articles

Back to top button