Exemplifying Emerging Phishing: QR-based Browser-in-The-Browser (BiTB) Attack

TL;DR

The paper addresses a rising phishing threat by combining Quishing with Browser-in-The-Browser (BiTB) via dynamic QR codes and Gemini-LLM-generated prompts. It provides a proof-of-concept that demonstrates end-to-end attack execution, including a case study where a malicious QR code leads victims to a BiTB-enabled phishing page that harvests credentials and stores them in MongoDB Atlas. The work highlights how LLMs can enhance social engineering in real-time and emphasizes the need for defenses to counter such evolving threats. It also discusses practical limitations and future directions to improve defense frameworks against QR-based BiTB phishing in real-world settings.

Abstract

Lately, cybercriminals constantly formulate productive approaches to exploit individuals. This article exemplifies an innovative attack, namely QR-based Browser-in-The-Browser (BiTB), using proficiencies of Large Language Model (LLM) i.e. Google Gemini. The presented attack is a fusion of two emerging attacks: BiTB and Quishing (QR code phishing). Our study underscores attack's simplistic implementation utilizing malicious prompts provided to Gemini-LLM. Moreover, we presented a case study to highlight a lucrative attack method, we also performed an experiment to comprehend the attack execution on victims' device. The findings of this work obligate the researchers' contributions in confronting this type of phishing attempts through LLMs.

Figures (7)

• Figure 1: QRFY results upon scanning dynamic QR code.
• Figure 2: The point-by-point flow of QR-based BiTB attack.
• Figure 3: Detailed architecture of attack implementation setup.
• Figure 4: MongoDb Atlas Setup.
• Figure 5: (a) QR Code Scanner output, (b) Automated Browser, and (c) Victims' Browser.