TL;DR — Here is a Siri Shortcut for scanning QR codes directly into VirusTotal (Check the note at the end).
Link: https://www.icloud.com/shortcuts/a9732a8074854c3cb19c45ddadde587d
The use of QR codes in phishing attacks seem to running rampant lately. This makes sense, as most detections for phishing attempts revolve around threat intel on the link itself or other attributes of the email. QR codes make it easy to ensure the phishing URL makes it to the target’s inbox.
Note: At the time of this post — vendors such as Proofpoint, Darktrace, and Barracuda are still working on solutions to detect and mitigate these threats.
I’ll throw in a couple articles that have cropped up regarding this lately:
- Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack
https://www.wired.com/story/qr-codes-phishing-attack/ - Phishers use QR codes to target companies in various industries
https://www.helpnetsecurity.com/2023/08/17/qr-codes-phishing/
And some Reddit posts…
Awareness Training — With a little help from Siri
Security awareness training is still essential to any good security stack, but I wanted to make things a little easier on end users with this one because QR codes are a great concept, and we’re using them more and more every day.
I made this for myself as a Security Analyst, and for end users who may run into a suspicious QR code in the wild.
(My apologies to Android users, I have nothing against you, just didn’t want to make an entire app. Hopefully you can accomplish something similar with Tasker or another equivalent.)
Here is the goal: Scan a QR code directly into VirusTotal! This will allow us to quickly check QR codes before opening them (now obviously this isn’t going to be a solution 100% of the time, but hopefully it will catch the worst of the worst).
Creating the Shortcut
1. Get the final, expanded URL
The Scan QR barcode function is already a built in action. However, a lot of codes are short links or redirects from third party services, so we need to expand the URL.
From there, we set the initial value of the code to a variable -> set the correct encoding for the URL and add that to a new variable -> expand the URL and add it to a final variable to use throughout the rest of the shortcut.
Probably don’t need that many variables, but shortcuts tend to work better for me when explicitly hold values somewhere other than just working off of results.
2. Format the URL
Add the final URL variable (in this case just ‘url’) to a basic text element.
I like to copy that text to the clipboard just in case I need to check the URL elsewhere, such as Urlscan or Quittera (or just visit the link if everything checks out).
Now that it is in a text format, we can strip off the http/https prefix using the “Replace” function.
I just used nested if/else statements to check for both HTTP and HTTPS.
3. Combine the final QR code URL with the VirusTotal /search URL
Shortcuts has a built in “Open URL” function to make this easy.
- https://virustotal.com/#/search/<final_url_variable>** (in this case, just ‘final_url’)
And there you have it! A quick and easy shortcut for scanning QR codes directly into VirusTotal.
One last note: This isn’t guaranteed to work for every URL. If the link hasn’t already been scanned in VT then there will be no results. However, the link was copied to the clipboard, so it is easy to paste it in and have it scanned.
