Table of Contents
Fetching ...

Detecting Quishing Attacks with Machine Learning Techniques Through QR Code Analysis

Fouad Trad, Ali Chehab

TL;DR

This paper tackles quishing, a QR code–based phishing threat that can bypass URL-centric defenses. It develops a QR-centric ML framework that detects phishing by analyzing QR code structure and pixel patterns without extracting embedded content, and validates it on a labeled QR-code dataset. The study reports that XGBoost achieves an AUC of 0.9106 (0.9133 after feature pruning) and that feature importance analysis reveals a small, highly informative pixel subset, enabling effective feature selection. These findings establish direct QR analysis as a proactive layer in phishing defenses and provide a public dataset to spur further research.

Abstract

The rise of QR code based phishing ("Quishing") poses a growing cybersecurity threat, as attackers increasingly exploit QR codes to bypass traditional phishing defenses. Existing detection methods predominantly focus on URL analysis, which requires the extraction of the QR code payload, and may inadvertently expose users to malicious content. Moreover, QR codes can encode various types of data beyond URLs, such as Wi-Fi credentials and payment information, making URL-based detection insufficient for broader security concerns. To address these gaps, we propose the first framework for quishing detection that directly analyzes QR code structure and pixel patterns without extracting the embedded content. We generated a dataset of phishing and benign QR codes and we used it to train and evaluate multiple machine learning models, including Logistic Regression, Decision Trees, Random Forest, Naive Bayes, LightGBM, and XGBoost. Our best-performing model (XGBoost) achieves an AUC of 0.9106, demonstrating the feasibility of QR-centric detection. Through feature importance analysis, we identify key visual indicators of malicious intent and refine our feature set by removing non-informative pixels, improving performance to an AUC of 0.9133 with a reduced feature space. Our findings reveal that the structural features of QR code correlate strongly with phishing risk. This work establishes a foundation for quishing mitigation and highlights the potential of direct QR analysis as a critical layer in modern phishing defenses.

Detecting Quishing Attacks with Machine Learning Techniques Through QR Code Analysis

TL;DR

This paper tackles quishing, a QR code–based phishing threat that can bypass URL-centric defenses. It develops a QR-centric ML framework that detects phishing by analyzing QR code structure and pixel patterns without extracting embedded content, and validates it on a labeled QR-code dataset. The study reports that XGBoost achieves an AUC of 0.9106 (0.9133 after feature pruning) and that feature importance analysis reveals a small, highly informative pixel subset, enabling effective feature selection. These findings establish direct QR analysis as a proactive layer in phishing defenses and provide a public dataset to spur further research.

Abstract

The rise of QR code based phishing ("Quishing") poses a growing cybersecurity threat, as attackers increasingly exploit QR codes to bypass traditional phishing defenses. Existing detection methods predominantly focus on URL analysis, which requires the extraction of the QR code payload, and may inadvertently expose users to malicious content. Moreover, QR codes can encode various types of data beyond URLs, such as Wi-Fi credentials and payment information, making URL-based detection insufficient for broader security concerns. To address these gaps, we propose the first framework for quishing detection that directly analyzes QR code structure and pixel patterns without extracting the embedded content. We generated a dataset of phishing and benign QR codes and we used it to train and evaluate multiple machine learning models, including Logistic Regression, Decision Trees, Random Forest, Naive Bayes, LightGBM, and XGBoost. Our best-performing model (XGBoost) achieves an AUC of 0.9106, demonstrating the feasibility of QR-centric detection. Through feature importance analysis, we identify key visual indicators of malicious intent and refine our feature set by removing non-informative pixels, improving performance to an AUC of 0.9133 with a reduced feature space. Our findings reveal that the structural features of QR code correlate strongly with phishing risk. This work establishes a foundation for quishing mitigation and highlights the potential of direct QR analysis as a critical layer in modern phishing defenses.
Paper Structure (11 sections, 5 figures, 3 tables)

This paper contains 11 sections, 5 figures, 3 tables.

Figures (5)

  • Figure 1: Ten samples of the generated QRCodes
  • Figure 2: Feature Importance of the top 3 models
  • Figure 3: Features taken into account when using XGBoost
  • Figure 4: Features not taken into account when using XGBoost
  • Figure 5: Feature Importance distribution