Though the rapid development and spread of Information and Communication Technology (ICT) making people's life much more easier, on the other hand it causing some serious threats to the society. Phishing is one of the most common cyber threat, that most users falls in. This research investigate on QR code based phishing attacks which is a newly adopted intrusive method and how to enhance the awareness and avoidance behavior of QR based phishing attacks through the user centric security education approaches using game based learning.
The penetration of the Internet and smartphones has enable ample of opportunities, where its' users can shop, communicate, do payments, etc... with few clicks or taps [1]. That makes smartphones and the internet are essential parts of everyday life. With more and more people using internet and smartphones, intruders are trying to target these audience with malicious intents.
Social engineering techniques along with phishing is one of the most recurrent cyber threat, that people can easily falls in [2]. Phishing is considered as a semantic attack and commonly interpreted as online identity theft [3]. Masquerading as a trustworthy entity in order to capture sensitive data of a particular user is not a new phenomena. Scam emails which directs users to fraudulent website is the commonly used approach for phishing. But that has come to a new dimension along with the new developments in IT world. Phishing attacks based on QR(Quick Response) codes is the most recent oxygenating factor for the attackers.
QR code was originated in Japan [4] originally to track the automotive components in the industry. But with the popularity it among various industries, make a rapid development for the original QR code and now it can hold link, plain text, SMS text message, addresses, URLs, Geolocation, email, phone numbers or contact information. High information density and robustness makes 2-dimensional barcodes known as QR Codes, a popular choice among various industries that appear in more places in the urban environment for various purposes over traditional bar codes. Marketing and online-payments [5] are 2 most common industries which uses QR codes heavily. URL encoding to make information instantly available is the most common use case among these industries. QR Codes can be described as paper-based hyperlinks, which directs users to websites. Since it provides a way to access a brand’s website more quickly than by manually entering a URL, according to the e marketers and google trends [6], [7] this been adopted over millions of smartphone users. QR codes also allows marketers to target their desired groups on specific locations.
Though the properties of QR code makes marketers life much easier and effective, on other hand security vulnerabilities exist itself in code and in its’ readers yields QR codes to be used as a novel tool for phishing attacks.
The fundamental misbelief of the smartphone users, that the smartphone is safer than a typical PC is a recipe for disaster. Due to this misbelief and for convenience and ease of use, users and even developers have overlooked many of the lessons learned from the past relate to phishing [8]. Thompson and Lee in their study highlighted that users make different insecure choices when the context of the situation changes, if user have to make a decision as part of the solution for a security weakness. Further they have shown that since QR codes are often embedded in physical objects such as posters, billboards, that increase users’ perception of safety as they feel that they are sort of real and tangible thing instead of an untrusted website link. This leads users are more vulnerable to QR based phishing attacks than the traditional phishing methods.
Several studies have shown that QR codes can be used as an attack vector for many security threats. Keiseberg et al have conducted a proof of concept phishing attack using QR code. Further in their study they have shown dangers of possible attacks utilizing manipulated QR codes and highlighted that proper input sanitization is need to be performed prior to processing the contained data [9]. Amin et al in their study of malicious QR codes in wild state that they have found about 150 malicious QR codes that were designed to direct victims to phishing sites or direct users to either exploit or intermediate sites. Spoofed versions of password-protected websites, fake versions of the Google Play app market, malware distributed via direct download links were the common threats [10]. Though the number is quite less the consequences and impact can’t be simply ignored.
Vidas et al. carried out two experiments to understand the impact of QR based phishing which they have named as QRshing in the city of Pittsburgh. In QRishing experiment they found that curiosity is the main motivation for smartphone users to scan a code [11]. A similar experiment was also conducted by Seeburger et al [12]. Along with those 2 experiments and Adrian and Katharina in their QR Inception: Barcode-in-Barcode Attacks [13] research, highlight the need for further research on adequate tools to support the smartphone user to detect potential threats in QR codes. Research also highlighted that most QR code readers do not provide feasible tools to automatically detect malicious intents embedded in QR codes .
Keiseberg et al in their QR Code Security: A Survey of Attacks and Challenges for Usable Security research, defined specific requirements which required to devel
This content is AI-processed based on open access ArXiv data.
