ALFA: A Safe-by-Design Approach to Mitigate Quishing Attacks Launched via Fancy QR Codes
Muhammad Wahid Akram, Keshav Sood, Muneeb Ul Hassan, Dhananjay Thiruvady
TL;DR
The paper tackles Quishing attacks that exploit fancy QR codes by presenting ALFA, a safe-by-design framework that analyzes QR structure rather than accessing post-scan payloads. It converts fancy QR codes into a binary replica, uses FAST to correct mislabeled modules, and extracts 24 structural features to feed a pre-trained classifier, enabling on-device legitimacy prediction. On a synthetic dataset, ALFA achieves a very low false-negative rate of $0.06\%$, and a mobile app demonstration indicates favorable accuracy and latency compared with real-world QR readers. The approach offers a practical, privacy-preserving defense that can be integrated with existing QR scanning workflows to mitigate Quishing without exposing user data.
Abstract
Phishing with Quick Response (QR) codes is termed as Quishing. The attackers exploit this method to manipulate individuals into revealing their confidential data. Recently, we see the colorful and fancy representations of QR codes, the 2D matrix of QR codes which does not reflect a typical mixture of black-white modules anymore. Instead, they become more tempting as an attack vector for adversaries which can evade the state-of-the-art deep learning visual-based and other prevailing countermeasures. We introduce "ALFA", a safe-by-design approach, to mitigate Quishing and prevent everyone from accessing the post-scan harmful payload of fancy QR codes. Our method first converts a fancy QR code into the replica of binary grid and then identify the erroneous representation of modules in that grid. Following that, we present "FAST" method which can conveniently recover erroneous modules from that binary grid. Afterwards, using this binary grid, our solution extracts the structural features of fancy QR code and predicts its legitimacy using a pre-trained model. The effectiveness of our proposal is demonstrated by the experimental evaluation on a synthetic dataset (containing diverse variations of fancy QR codes) and achieve a FNR of 0.06% only. We also develop the mobile app to test the practical feasibility of our solution and provide a performance comparison of the app with the real-world QR readers. This comparison further highlights the classification reliability and detection accuracy of this solution in real-world environments.
