QR Code Hacking - I Placed 'Malicious' QR Codes Around My Local Area - Here's Who I Caught.
Рет қаралды 48,109
Күн бұрынanother dumb deeboodah experiment. www.deeboodah.com
⏰ Timestamps:
0:00 - Introduction
0:41 - Quishing Explained
1:12 - The Idea
1:25 - Implementing the Experiment
4:48 - Placing QR Codes
5:48 - The Results
6:34 - QRLJacking Explained
7:31 - Evil QR by Kuba Gretzsky
10:06 - Conclusion + Deeboodah
🔗 Links (Sources):
- developers.cloudflare.com/pag...
- breakdev.org/evilqr-phishing/
- github.com/kgretzky/evilqr
🐕 Follow Me:
Twitter: / collinsinfosec
Instagram: / _collinsinfosec
Cybercademy Discord Server: / discord
🤔 Have questions, concerns, comments?:
Email me: grant@cybercademy.org
🎧 Gear:
Laptop (Lenovo X1 Carbon Ultrabook 6th Gen): amzn.to/2O0UfAM
Monitors (Dell D Series 31.5” D3218HN): amzn.to/2EXlgRF
Keyboard (Velocifire VM01): amzn.to/2TEswfd
Headphones (Audio Technica ATH-M40x): amzn.to/2F4Tvq6
Work Monitors (Dell U4919DW UltraSharp 49 Curved Monitor): amzn.to/3yQmDhM
Desk (FLEXISPOT EW8 Comhar Electric Standing Desk): amzn.to/3S9OxvG
💻 Cybersecurity PC Build Parts
[Processor] Intel Core i7-13700K 3.4 GHz 16-Core Processor: amzn.to/3OlTTUK
[Graphics Card] Asus DUAL OC GeForce RTX 3060 Ti 8 GB Video Card: amzn.to/3OE0bkd
[AIO Cooler] Corsair iCUE H100i RGB ELITE 65.57 CFM Liquid CPU Cooler: amzn.to/3DEUUT9
[Motherboard] MSI PRO Z690-A WIFI DDR4 ATX LGA1700 Motherboard: amzn.to/3Ol9La8
[RAM](2x) Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory: amzn.to/3OlsgeM
[HDD] Seagate IronWolf NAS 8 TB 3.5" 7200 RPM Internal Hard Drive: amzn.to/3DFdc6K
[SSD] Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive: amzn.to/3KpTnnQ
[Case] Corsair 5000D AIRFLOW ATX Mid Tower Case: amzn.to/44Rjaxf
[Power Supply] Corsair RM850x (2021) 850 W 80+ Gold Certified Fully Modular ATX Power Supply: amzn.to/478wC1r
[Fans] Corsair iCUE SP120 RGB ELITE 47.7 CFM 120 mm Fans 3-Pack: amzn.to/44R4myD
@Nalbennabeel1 Ай бұрын
I remember doing the same thing just with USB’s around my school
@jop4846 Ай бұрын
how did it go? you just tell a half boom story.
@collinsinfosec Ай бұрын
That's another idea in the making currently 😀
@rarehyperion Ай бұрын
@@collinsinfosec make a "cats" folder in the usb and put lots of cats in it, this is a must have, I'd get a virus from a usb if I knew it had cat pictures on it XD
@letsgetherbal4685 20 күн бұрын
@@rarehyperion well tbf once you insert the usb it's already to late for your pc
@rarehyperion 20 күн бұрын
@@letsgetherbal4685 Me when linux
@SweDownhill Ай бұрын
This, and malicious unsubscribe-links are two attack vectors that I'm surprised aren't utilized more than they currently are.
@PoopSunday 25 күн бұрын
Damn I click on unsubscribe links indiscriminately...😬
@hyper3cube Ай бұрын
You'd get tons of people if you put the QR code on tables outside of restaurants. So many restaurants use QR codes for ordering now, people just assume it's the menu.
@magic.marmot Ай бұрын
I really liked this. I did a deep-dive into QR codes a few years back for a project at work. Got to love them, made a product better and made the client happy. This is all new to me, especially 'quishing' which sounds gross. You gave me new tools to play with, and renewed my interest in the mischief I appreciate your style. I understand from whence it comes..
@aresinamorta Ай бұрын
At least one of your QR codes should have redirected to Rick Astleys Never Gonna Give You Up.
@marekdworzanowski4236 Ай бұрын
Really a great watch and thanks for the demonstration. It is really another attack vector that not everyone is fully aware of and most people do just scan these QR Codes in the wild, without thinking first. This creates further awareness, thanks.
@OWNERAdminUser 28 күн бұрын
On Sony Playstation, they've made signing into the Psn a future default 2FA method in order to do things like change Privacy settings, or even read an updated eula policy. It's become every companies business to find instances to compromise cross linked accounts more than any other thing i see. One account on discord isnt good. but getting a google id or MS account that logs someone into many other profiles and devices might be more valuable
@SeniorScriptKitty Ай бұрын
dont feel bad, you are learning people some safety, you are doing a service to protect them in the future. you should of used different codes for each instance to track what got the most hits lottery car wash ect ect to collect more efficient data
@repairstudio4940 Ай бұрын
Respect. 🎉❤ Liked and subbed.
@comosaycomosah 20 күн бұрын
This was dope bro!
@Username8281 Ай бұрын
Love this
@hedgehogform Ай бұрын
I wouldn't even scan a restaurant qr code menu.
@StefanNovovic Ай бұрын
skill issue
@strbe1041 Ай бұрын
0:46 didnt know you were a fellow mineman brother
@collinsinfosec Ай бұрын
I just downloaded Minecraft about a month ago after not playing for over 10 years, haha. It's a bad distraction.
@watchmehope6560 Ай бұрын
This was a fun watch 😊
@Techtapp_ 2 күн бұрын
Nice🔥
@Bartlbees Ай бұрын
Were you able to see which posters got the most scans?
@collinsinfosec Ай бұрын
After getting home from putting the posters up, I realized I should have created three unique QR codes, one per poster. 🙃 Since I had already put them up, I decided to proceed forward. I also realized each poster would get a different amount of scans based on how much pedestrian traffic each had.
@Psikeomega Ай бұрын
I actually think it's pretty funny that I'm stumbling across this video in my feed. I was thinking of doing the exact same thing in my area since there's a lot of trucks stops in my area and because of that, it's prime phishing hole
@OWNERAdminUser 28 күн бұрын
pretty much sums up what ordinary users might think of hackers in a nut shell
@antonkalashnikov572 Ай бұрын
“Kid” 😂
@dealerofgame Ай бұрын
Those flyers look terrible
@jerkface38 19 күн бұрын
That's what I thought. At least put some minimal effort in
@CodeDdukDdak Ай бұрын
So i think solution to test this qr code in sandbox is good answet for this problem until qr code more using
@daniel_8 Ай бұрын
this is not entirely true, QRL jacking can only happen if the user scans the barcode in the specific app your are trying to hack, for example if you wanted to jack someone's Whatsapp you'd have to get the victim to scan the barcode in the app under "Add a device" which would require a lot of smart social engineering. so really the only thing an attacker could do is try to phish you or if he found an XSS vulnerability (which is VERY rare in the big services) he could do more dangerous things
@djoh615893 20 күн бұрын
I love dumb experiments. The true scientific method!
@j.woodgard 20 күн бұрын
I finally tracked you down bro I want my freaking car wash!
@collinsinfosec 20 күн бұрын
😀
@Schneids16 29 күн бұрын
Would've liked to hear more about whether the 16 people actually did anything that could've been exploited. imo, getting someone to tap 'browse to site' or whatever after scanning the qr code is relatively harmless. now if they enter valid credentials into your spoofed page, or downloaded a file of some type, that would be interesting. I didn't really see anything in the video that speaks to "who i caught" either.
@Zachsnotboard 24 күн бұрын
my steam profile pic is a QR code that goes to a canary token, so many ppl in my cs games scan it, always funny to spook them with IP,geoip, and user agent info lol
@OneAndOnlyZekePolaris Ай бұрын
The tool I used used a lot more sites than that. If the service uses QR codes at all, it can be hijacked. I didn't use it for random though. Only used on criminals.
@patrickchan2503 Ай бұрын
what... you can hack someone's session by getting them to scan your QR code... oh dear, I often wonder if I have fallen victim to this.
@ricardoteixeira5436 Ай бұрын
Yeah but you would probably need to find some vuln in the site you're redirecting too
@hyiping5926 Ай бұрын
Dont ruin my QR code compaign you mufu! :D
@Hellscaped Ай бұрын
hello fellow missourian
@0xC47P1C3 Ай бұрын
Sucks how the QR code is only valid for a short amount of time
@aanrikay Ай бұрын
what?
@smokey2 Ай бұрын
I really don't understand, when I scan QR code, I can see link in scanner and then I can open browser or not. I don't understand how are QR codes dangerous. They are just volume with some text data...
@TechnoMinded-qp5in Ай бұрын
I'm lucky I am smart and use computers properly and don't scan random things.
@OneAndOnlyZekePolaris Ай бұрын
That is the same QR code btw, at 8:30
@OneAndOnlyZekePolaris Ай бұрын
Because it changes after the rest of the page loads up hehe, did I made anyone look?
@pederschultz3283 Ай бұрын
It is actually possible to hide exe.files in a QR code, althrough it is difficult, and as some phones will actualy execute such a file on scanning.
@dovydassaltis8992 24 күн бұрын
Do you think phones can run .exe files?
@OneAndOnlyZekePolaris Ай бұрын
Over here we have to have permissions for QR codes. But it is free use if it is a poster for lost/found pet.
@OneAndOnlyZekePolaris Ай бұрын
I got more.
@Progamer69179 Ай бұрын
Hi
@OneAndOnlyZekePolaris Ай бұрын
Old methods
@null-0 Ай бұрын
"Quishing" Ewwww
@drtydsh Ай бұрын
beans cool
@Xand_err Ай бұрын
first haha
@MyTube4Utoo Ай бұрын
16 Scans in 5 days? You should come here. We've got lots of really dumb people.
@gourabsarker9552 Ай бұрын
Sir do you earn 150k dollars a year in USA? Plz reply. Thanks a lot.
@collinsinfosec Ай бұрын
I do not earn 150K a year in the USA. You can for sure!
@bjduncc Ай бұрын
@@collinsinfosec 😂
@unknown_exploit 25 күн бұрын
@@collinsinfosec 😂
@MemoriesInsideMe 22 күн бұрын
Cringe
SOFIADELMONSTRO
Рет қаралды 66 МЛН
Matt Brown
Рет қаралды 115 М.
Insider
Рет қаралды 2,9 МЛН
Alfredredbird
Рет қаралды 7 М.