Today a friend told me about a phishing attempt he almost got caught in, he got an email with a link and qr along with the message, "if the domain doesn't work, please scan the QR code", of course this domain wasn't even registered, so he took his phone and scanned it, reaching the phishing site.<p>This attack is so dangerous that it bypasses all security and email scanners on the server and tells us to scan the QR code with the address to the hacker's site, and most browsers on the phone even hide the URL.<p>Now the question arises, how to protect against this? Add a QR code scanner to the mail servers?
because you won't see the url prior to the page opening, the only way to protect against this kind of thing is a browser addon that warns against the phishing sites. no kind of filter on the QR reader is going to know if the sticker is fake or not.
You didn't mention the make of the phone but here [1] is how to disable automatic QR code scanning on a Samsung. Here [2] are more generic options.<p>Some things that could be done to reduce risk, <i>depending on how much friction one is open to</i> would be:<p>- Do not open emails from anyone you do not know, no matter how official or interesting the email title is. <i>low friction</i><p>- Alternately, open the email later on a locked down and hardened PC using Thunderbird with remote html/javascript disabled and then scan links in VirusTotal [3] and UrlScan [4] accepting that these sites will not catch everything.<p>- Disable javascript in the mobile browsers and only enable it for sites one has a binding contract with and/or know where the site operators sit. Firefox + uBlock are a decent browser and addon for this. In uBlock settings -> Filter settings -> enable all 3 Malware lists. <i>one-time high friction per trusted site or adding sites to uBlock to trust</i><p>- Disable automatic QR code scanning. Method varies by browser. <i>medium friction</i><p>- Block attachments in email <i>per account, or site wide if one hosts their own server</i>. <i>high friction</i><p>- If the email server supports this, convert or strip mime encoded content to plain text server-side. This applies to people hosting their own mail server. <i>low friction for a postmaster</i> [5]<p>[1] - <a href="https://www.youtube.com/watch?v=LxdoC2sG1i4" rel="nofollow">https://www.youtube.com/watch?v=LxdoC2sG1i4</a> [video]<p>[2] - <a href="https://www.qr-code-generator.com/guides/scan-qr-code-android/" rel="nofollow">https://www.qr-code-generator.com/guides/scan-qr-code-androi...</a><p>[3] - <a href="https://www.virustotal.com/old-browsers/" rel="nofollow">https://www.virustotal.com/old-browsers/</a><p>[4] - <a href="https://urlscan.io/" rel="nofollow">https://urlscan.io/</a><p>[5] - <a href="https://mimedefang.org/documentation/" rel="nofollow">https://mimedefang.org/documentation/</a>
>and most browsers on the phone even hide the URL<p>I've never seen (on any of my iPhones) the URL behind a QR code hidden, nor is it hidden once loaded in the mobile browser<p>What browser(s) exhibit that behavior?
Ask for a paper menu or <i>gasp</i> talk to the waitress a bit and keep it simple since often you won't need one if you know a bit about lunch.<p>(Also, try not to be insufferable to whoever presents you with something so poorly designed, but I think if you don't at least clearly print the URL, folks may assume it's a scam and look more intently than they would if you'd be open and transparent.)