Phishing mails with QR codes are attacking Japan

3 min readJan 4, 2023

Many phishing mails trick links to deceive.

For example, this phishing email is a typical example of a spoof: the <A href> tag is used in HTML body to make the URL displayed look utterly different from the actual link.

However, while sorting through phishing mails, I found a rather unusual example of link spoofing that is not typical of this type.

Link with a QR code

QR codes are little square barcodes that are now commonly used in various situations. In particular, they are used to present URL links. Yes, a URL!

Above is a phishing mail for ETCカード(ETC Card), a card brand with many users and a favourite target of phishing criminals attacking Japan. (ref: ETC Card official website)
This phishing email did not have any links in the text. There is, yes, only one QR code.

Once you access the Phishing Site, your personal information, including credit cards, is stolen.

This phishing mail used the QR code as a tool to deceive. Some researchers refer to this type of phishing as Quishing, but it is not yet common[1].

Analysis

Since late December 2022, phishing mails with QR codes have been continuously sent to Japan as of January 5, 2023.

Here is another ETC Card sample:

And here is a Phishing mail sample with QR code of Amazon:
https://urlscan.io/result/a76cf218-f05c-42c3-85c7-17184027033f/

The source IP addresses of the e-mails were all AS4837 CHINA UNICOM.
Phishing emails targeting Japan are often sent from AS4837.

Chinese PHP Framework / ThinkPHP

The phishing site was built with ThinkPHP, a PHP framework commonly used in China.
https://github.com/top-think/framework

The phishing site was poorly built, and debug mode was enabled, allowing us to see error messages in Chinese.

Motivation to use QR codes

There are two possible motivations for using QR codes.

To bypass Spam Filters
In email, compared to regular text links, QR code links will be easier to bypass security software.
Therefore it increases the likelihood of reaching the user’s mailbox.
Make people less cautious
Many people think QR codes are just barcode and not harmful[2,3]. Howerver, QR codes, like links sent via regular email, must first be treated as suspicious.

IoC

Mail Source IP address

60.23.119[.]226
123.188.39[.]179
175.150.106[.]221
175.150.107[.]1
175.165.181[.]168
175.175.220[.]103

Phishing Sites

hxxps://www[.]goin-etc-co-xcand[.]shop-zt[.]com[.]cn/
hxxps://www[.]goin-etc-co[.]peacha[.]com[.]cn/
hxxps://zjgswjys[.]com/jp

References

[1] https://www.zdnet.com/article/these-phishing-emails-use-qr-codes-to-bypass-defences-and-steal-microsoft-365-usernames-and-passwords/

[2] https://www.securemac.com/news/qr-code-phishing-and-how-to-avoid-it

[3] https://www.securitymagazine.com/articles/97949-qr-code-phishing-scams-target-users-and-enterprise-organizations