QR Code Hacking - I Placed 'Malicious' QR Codes Around My Local Area - Here's Who I Caught.
ฝัง
- เผยแพร่เมื่อ 1 มิ.ย. 2024
- another dumb deeboodah experiment. www.deeboodah.com
⏰ Timestamps:
0:00 - Introduction
0:41 - Quishing Explained
1:12 - The Idea
1:25 - Implementing the Experiment
4:48 - Placing QR Codes
5:48 - The Results
6:34 - QRLJacking Explained
7:31 - Evil QR by Kuba Gretzsky
10:06 - Conclusion + Deeboodah
🔗 Links (Sources):
- developers.cloudflare.com/pag...
- breakdev.org/evilqr-phishing/
- github.com/kgretzky/evilqr
🐕 Follow Me:
Twitter: / collinsinfosec
Instagram: / _collinsinfosec
Cybercademy Discord Server: / discord
🤔 Have questions, concerns, comments?:
Email me: grant@cybercademy.org
🎧 Gear:
Laptop (Lenovo X1 Carbon Ultrabook 6th Gen): amzn.to/2O0UfAM
Monitors (Dell D Series 31.5” D3218HN): amzn.to/2EXlgRF
Keyboard (Velocifire VM01): amzn.to/2TEswfd
Headphones (Audio Technica ATH-M40x): amzn.to/2F4Tvq6
Work Monitors (Dell U4919DW UltraSharp 49 Curved Monitor): amzn.to/3yQmDhM
Desk (FLEXISPOT EW8 Comhar Electric Standing Desk): amzn.to/3S9OxvG
💻 Cybersecurity PC Build Parts
[Processor] Intel Core i7-13700K 3.4 GHz 16-Core Processor: amzn.to/3OlTTUK
[Graphics Card] Asus DUAL OC GeForce RTX 3060 Ti 8 GB Video Card: amzn.to/3OE0bkd
[AIO Cooler] Corsair iCUE H100i RGB ELITE 65.57 CFM Liquid CPU Cooler: amzn.to/3DEUUT9
[Motherboard] MSI PRO Z690-A WIFI DDR4 ATX LGA1700 Motherboard: amzn.to/3Ol9La8
[RAM](2x) Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory: amzn.to/3OlsgeM
[HDD] Seagate IronWolf NAS 8 TB 3.5" 7200 RPM Internal Hard Drive: amzn.to/3DFdc6K
[SSD] Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive: amzn.to/3KpTnnQ
[Case] Corsair 5000D AIRFLOW ATX Mid Tower Case: amzn.to/44Rjaxf
[Power Supply] Corsair RM850x (2021) 850 W 80+ Gold Certified Fully Modular ATX Power Supply: amzn.to/478wC1r
[Fans] Corsair iCUE SP120 RGB ELITE 47.7 CFM 120 mm Fans 3-Pack: amzn.to/44R4myD
I remember doing the same thing just with USB’s around my school
how did it go?
you just tell a half boom story.
That's another idea in the making currently 😀
@@collinsinfosec make a "cats" folder in the usb and put lots of cats in it, this is a must have, I'd get a virus from a usb if I knew it had cat pictures on it XD
This, and malicious unsubscribe-links are two attack vectors that I'm surprised aren't utilized more than they currently are.
Damn I click on unsubscribe links indiscriminately...😬
You'd get tons of people if you put the QR code on tables outside of restaurants. So many restaurants use QR codes for ordering now, people just assume it's the menu.
I really liked this.
I did a deep-dive into QR codes a few years back for a project at work. Got to love them, made a product better and made the client happy.
This is all new to me, especially 'quishing' which sounds gross. You gave me new tools to play with, and renewed my interest in the mischief
I appreciate your style. I understand from whence it comes..
Really a great watch and thanks for the demonstration. It is really another attack vector that not everyone is fully aware of and most people do just scan these QR Codes in the wild, without thinking first. This creates further awareness, thanks.
On Sony Playstation, they've made signing into the Psn a future default 2FA method in order to do things like change Privacy settings, or even read an updated eula policy. It's become every companies business to find instances to compromise cross linked accounts more than any other thing i see. One account on discord isnt good. but getting a google id or MS account that logs someone into many other profiles and devices might be more valuable
dont feel bad, you are learning people some safety, you are doing a service to protect them in the future.
you should of used different codes for each instance to track what got the most hits lottery car wash ect ect to collect more efficient data
At least one of your QR codes should have redirected to Rick Astleys Never Gonna Give You Up.
Respect. 🎉❤
Liked and subbed.
Love this
I wouldn't even scan a restaurant qr code menu.
skill issue
0:46 didnt know you were a fellow mineman brother
I just downloaded Minecraft about a month ago after not playing for over 10 years, haha. It's a bad distraction.
This was a fun watch 😊
It is actually possible to hide exe.files in a QR code, althrough it is difficult, and as some phones will actualy execute such a file on scanning.
Were you able to see which posters got the most scans?
After getting home from putting the posters up, I realized I should have created three unique QR codes, one per poster. 🙃 Since I had already put them up, I decided to proceed forward. I also realized each poster would get a different amount of scans based on how much pedestrian traffic each had.
Those flyers look terrible
Over here we have to have permissions for QR codes. But it is free use if it is a poster for lost/found pet.
I actually think it's pretty funny that I'm stumbling across this video in my feed. I was thinking of doing the exact same thing in my area since there's a lot of trucks stops in my area and because of that, it's prime phishing hole
pretty much sums up what ordinary users might think of hackers in a nut shell
I really don't understand, when I scan QR code, I can see link in scanner and then I can open browser or not. I don't understand how are QR codes dangerous. They are just volume with some text data...
So i think solution to test this qr code in sandbox is good answet for this problem until qr code more using
Would've liked to hear more about whether the 16 people actually did anything that could've been exploited. imo, getting someone to tap 'browse to site' or whatever after scanning the qr code is relatively harmless. now if they enter valid credentials into your spoofed page, or downloaded a file of some type, that would be interesting. I didn't really see anything in the video that speaks to "who i caught" either.
what... you can hack someone's session by getting them to scan your QR code... oh dear, I often wonder if I have fallen victim to this.
Yeah but you would probably need to find some vuln in the site you're redirecting too
“Kid” 😂
The tool I used used a lot more sites than that. If the service uses QR codes at all, it can be hijacked. I didn't use it for random though. Only used on criminals.
this is not entirely true, QRL jacking can only happen if the user scans the barcode in the specific app your are trying to hack, for example if you wanted to jack someone's Whatsapp you'd have to get the to scan the barcode in the app under "Add a device" which would require a lot of smart social engineering. so really the only thing an attacker could do is try to phish you or if he found an XSS vulnerability (which is VERY rare in the big services) he could do more dangerous things
Dont ruin my QR code compaign you mufu! :D
Sucks how the QR code is only valid for a short amount of time
what?
hello fellow missourian
That is the same QR code btw, at 8:30
Because it changes after the rest of the page loads up hehe, did I made anyone look?
I'm lucky I am smart and use computers properly and don't scan random things.
I got more.
Hi
"Quishing" Ewwww
Old methods
beans cool
first haha
16 Scans in 5 days? You should come here. We've got lots of really dumb people.
Sir do you earn 150k dollars a year in USA? Plz reply. Thanks a lot.
I do not earn 150K a year in the USA. You can for sure!
@@collinsinfosec 😂
@@collinsinfosec 😂