How Multi-Stage Phishing Attacks QRs, CAPTCHAs, and Steganography

Nov 21, 2023The Hacker NewsCybercrime / Malware Analysis

Phishing Attacks

Phishing attacks continue to become more sophisticated, with cybercriminals investing in new ways to trick victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHA, and steganography. See how it is made and learn to recognize it.


Quishing, a phishing technique resulting from the combination of “QR” and “phishing,” has become a popular weapon among cybercriminals in 2023.

By hiding malicious links inside QR codes, attackers can bypass traditional spam filters, which are primarily aimed at detecting text-based phishing attempts. The inability of many security tools to interpret the content of QR codes further makes this method a preferred option for cybercriminals.

Phishing Attacks
An email with a QR code containing a malicious link

Analyzing a QR code with an embedded malicious link in a secure environment is easy WHAT. RUN:

  1. Just open it in this work in the sandbox (or upload your file using the QR code).
  2. Navigate to the Static Discovering section (By clicking on the file name in the upper right corner).
  3. Select the item with the QR code.
  4. Click “Submit to Analyze.”

The sandbox will then automatically launch a new task window, which will allow you to analyze the URL identified within the QR code.

Black Friday Offer

Take advantage of ANY.RUN’s Black Friday Offer

Buy an annual subscription to the Searcher or Hunter plan and get another one for your partner absolutely free. Available November 20-26.

Get It Now

CAPTCHA-based attacks

CAPTCHA is a security solution used by websites to prevent automated bots from creating fake accounts or submitting spam. Attackers have been able to exploit this tool to their advantage.

Phishing Attacks
A phishing attack CAPTCHA page displayed in the ANY.RUN sandbox

Attackers are increasingly using CAPTCHAs to hide credential harvesting forms on fake websites. By generating hundreds of domain names using the Randomized Domain Generated Algorithm (RDGA) and implementing CloudFlare’s CAPTCHAs, they can effectively hide these forms from automated security systems, such as web crawlers, which cannot bypass the CAPTCHAs.

Phishing Attacks
A fake Halliburton login page

The example above shows an attack targeting Halliburton Corporation employees. It first requires the user to pass a CAPTCHA check and then uses a realistic Office 365 private login page that is difficult to distinguish from the real page.

Once the victim enters their login credentials, they are redirected to a legitimate website, while the attackers exfiltrate the credentials of their Command-and-Control server.

Learn more about CAPTCHA attacks at in this article.

Steganography malware campaigns

Steganography is the practice of hiding data within various media, such as images, videos, or other files.

A typical phishing attack that uses steganography begins with a well-crafted email designed to appear legitimate. Embedded within the email is an attachment, usually a Word document, along with a link to a file sharing platform such as Dropbox. In the example below, you can see a fake email from a Colombian government organization.

Phishing Attacks
A phishing email is often the first stage of an attack

An unsuspecting user who clicks on a link within the document downloads an archive, which contains a VBS script file. After execution, the script takes an image file, looks harmless but contains hidden malicious code. Once executed, the malware infects the victim’s system.

To understand how steganography attacks are created and detected, see in this article.

Expose phishing attacks with ANY.RUN

WHAT. RUN is a malware analysis sandbox capable of identifying a wide range of phishing tactics and allowing users to examine them in detail.

See ANY.RUN’s Black Friday Offeravailable November 20-26.

Phishing Attacks

The sandbox offers:

  • Fully interactive Windows 7,9,10,11 virtual machines
  • Comprehensive reports with IOCs and malware configs
  • Private analysis of an unlimited number of files and links

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment