A new report from cybersecurity company INKY Technology Corp. is sounding the alarm over a new wave of phishing threats that use QR codes in increasingly dangerous and deceptive ways, including leveraging embedded JavaScript payloads that execute instantly upon scanning, with no link clicks required. INKY says that attackers are now going a step further by embedding raw HTML and JavaScript into QR codes using data uniform resource identifiers. The new quishing methodology differs from traditional QR threats that redirect users to malicious websites and instead include payloads that execute entirely within the browser, hijacking login pages, capturing keystrokes and even launching exploits as soon as a user scans the code. Often, users don’t even need an active internet connection if the payload is self-contained. The new technique sees attackers embed base64-encoded HTML in the QR code itself. When scanned by a mobile camera or QR scanning app, the code is automatically opened in the system browser and executed. Once the QR code has been scanned and has become active, malicious JavaScript can then simulate login portals, exfiltrate data via hidden forms and fingerprint devices for further exploitation. The QR codes also evade standard email security tools, proxies and threat intelligence systems, as the payload is embedded in the code and never touches an external URL, at least when initially executed.