Table of Contents
Fetching ...

ALFA: A Safe-by-Design Approach to Mitigate Quishing Attacks Launched via Fancy QR Codes

Muhammad Wahid Akram, Keshav Sood, Muneeb Ul Hassan, Dhananjay Thiruvady

TL;DR

The paper tackles Quishing attacks that exploit fancy QR codes by presenting ALFA, a safe-by-design framework that analyzes QR structure rather than accessing post-scan payloads. It converts fancy QR codes into a binary replica, uses FAST to correct mislabeled modules, and extracts 24 structural features to feed a pre-trained classifier, enabling on-device legitimacy prediction. On a synthetic dataset, ALFA achieves a very low false-negative rate of $0.06\%$, and a mobile app demonstration indicates favorable accuracy and latency compared with real-world QR readers. The approach offers a practical, privacy-preserving defense that can be integrated with existing QR scanning workflows to mitigate Quishing without exposing user data.

Abstract

Phishing with Quick Response (QR) codes is termed as Quishing. The attackers exploit this method to manipulate individuals into revealing their confidential data. Recently, we see the colorful and fancy representations of QR codes, the 2D matrix of QR codes which does not reflect a typical mixture of black-white modules anymore. Instead, they become more tempting as an attack vector for adversaries which can evade the state-of-the-art deep learning visual-based and other prevailing countermeasures. We introduce "ALFA", a safe-by-design approach, to mitigate Quishing and prevent everyone from accessing the post-scan harmful payload of fancy QR codes. Our method first converts a fancy QR code into the replica of binary grid and then identify the erroneous representation of modules in that grid. Following that, we present "FAST" method which can conveniently recover erroneous modules from that binary grid. Afterwards, using this binary grid, our solution extracts the structural features of fancy QR code and predicts its legitimacy using a pre-trained model. The effectiveness of our proposal is demonstrated by the experimental evaluation on a synthetic dataset (containing diverse variations of fancy QR codes) and achieve a FNR of 0.06% only. We also develop the mobile app to test the practical feasibility of our solution and provide a performance comparison of the app with the real-world QR readers. This comparison further highlights the classification reliability and detection accuracy of this solution in real-world environments.

ALFA: A Safe-by-Design Approach to Mitigate Quishing Attacks Launched via Fancy QR Codes

TL;DR

The paper tackles Quishing attacks that exploit fancy QR codes by presenting ALFA, a safe-by-design framework that analyzes QR structure rather than accessing post-scan payloads. It converts fancy QR codes into a binary replica, uses FAST to correct mislabeled modules, and extracts 24 structural features to feed a pre-trained classifier, enabling on-device legitimacy prediction. On a synthetic dataset, ALFA achieves a very low false-negative rate of , and a mobile app demonstration indicates favorable accuracy and latency compared with real-world QR readers. The approach offers a practical, privacy-preserving defense that can be integrated with existing QR scanning workflows to mitigate Quishing without exposing user data.

Abstract

Phishing with Quick Response (QR) codes is termed as Quishing. The attackers exploit this method to manipulate individuals into revealing their confidential data. Recently, we see the colorful and fancy representations of QR codes, the 2D matrix of QR codes which does not reflect a typical mixture of black-white modules anymore. Instead, they become more tempting as an attack vector for adversaries which can evade the state-of-the-art deep learning visual-based and other prevailing countermeasures. We introduce "ALFA", a safe-by-design approach, to mitigate Quishing and prevent everyone from accessing the post-scan harmful payload of fancy QR codes. Our method first converts a fancy QR code into the replica of binary grid and then identify the erroneous representation of modules in that grid. Following that, we present "FAST" method which can conveniently recover erroneous modules from that binary grid. Afterwards, using this binary grid, our solution extracts the structural features of fancy QR code and predicts its legitimacy using a pre-trained model. The effectiveness of our proposal is demonstrated by the experimental evaluation on a synthetic dataset (containing diverse variations of fancy QR codes) and achieve a FNR of 0.06% only. We also develop the mobile app to test the practical feasibility of our solution and provide a performance comparison of the app with the real-world QR readers. This comparison further highlights the classification reliability and detection accuracy of this solution in real-world environments.
Paper Structure (19 sections, 5 figures, 4 tables)

This paper contains 19 sections, 5 figures, 4 tables.

Figures (5)

  • Figure 1: Some examples of custom-shaped (fancy) QR codes. They reflect the unusual multi-color illustration of modules, having logos, background image/color.
  • Figure 2: Demonstration of differences between a fancy and black-white QR code. Green and black dots show the starting and ending points of reading format bits, respectively.
  • Figure 3: The proposed methodology is composed of series of 6 steps. Initiated from inputting and acquiring visual properties of fancy QR. Later, inversion operation is performed and then, an iteration of version 1 to 40 executed to form binary replica, through which, 24 structural features were extracted and fed into model for prediction.
  • Figure 4: The conversion from fancy code to binary replica and to black-white QR code is shown in (a) to (c). In (d), the actual black-white QR encoded with URL of fancy QR is also presented to visualize the erroneous mislabeled modules in the binary grid.
  • Figure 5: The identification of recoverable patterns from binary grid is shown in (a). While (b) to (e) highlight the correction of patterns after applying the FAST method.