INKY warns of new QR code phishing tactic using embedded JavaScript

A new report out today from cybersecurity company INKY Technology Corp. is sounding the alarm over a new wave of phishing threats that use QR codes in increasingly dangerous and deceptive ways, including leveraging embedded JavaScript payloads that execute instantly upon scanning, with no link clicks required.

QR code-based phishing, or “quishing,” is not new. INKY itself warned about its growing prominence back in 2023, but forward two years and INKY says that attackers are now going a step further by embedding raw HTML and JavaScript into QR codes using data uniform resource identifiers.

The new quishing methodology differs from traditional QR threats that redirect users to malicious websites and instead include payloads that execute entirely within the browser, hijacking login pages, capturing keystrokes and even launching exploits as soon as a user scans the code. Often, users don’t even need an active internet connection if the payload is self-contained.

The new technique sees attackers embed base64-encoded HTML in the QR code itself. When scanned by a mobile camera or QR scanning app, the code is automatically opened in the system browser and executed.

Once the QR code has been scanned and has become active, malicious JavaScript can then simulate login portals, exfiltrate data via hidden forms and fingerprint devices for further exploitation. The QR codes also evade standard email security tools, proxies and threat intelligence systems, as the payload is embedded in the code and never touches an external URL, at least when initially executed.

The report highlights the open-source Backdooms project, an HTML5 implementation of the computer game “Doom” that can be fully embedded in a QR code, as an example that demonstrates how advanced compression and encoding techniques can turn QR codes into executable delivery systems. INKY warns that threat actors are already using similar methods to hide malware and evade detection.

With the methodology used likely to grow in prominence, INKY recommends that organizations should train users to avoid scanning unsolicited QR codes, disable automatic browser opening in QR scanning apps, and report suspicious emails to security teams.

Image: SiliconANGLE/Reve

Enjoy the perfect blend of retro charm and modern convenience with the Udreamer Vinyl Record Player. With 9,041 ratings, a 4.3/5-star average, and 400+ units sold in the past month, this player is a fan favorite, available now for just $39.99.

The record player features built-in stereo speakers that deliver retro-style sound while also offering modern functionality. Pair it with your phone via Bluetooth to wirelessly listen to your favorite tracks. Udreamer also provides 24-hour one-on-one service for customer support, ensuring your satisfaction.

Don’t miss out—get yours today for only $39.99 at Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!