Phishing with Quick Response (QR) codes is termed as Quishing. The attackers exploit this method to manipulate individuals into revealing their confidential data. Recently, we see the colorful and fancy representations of QR codes, the 2D matrix of QR codes which does not reflect a typical mixture of black-white modules anymore. Instead, they become more tempting as an attack vector for adversaries which can evade the state-of-the-art deep learning visual-based and other prevailing countermeasures. We introduce "ALFA", a safe-by-design approach, to mitigate Quishing and prevent everyone from accessing the post-scan harmful payload of fancy QR codes. Our method first converts a fancy QR code into the replica of binary grid and then identify the erroneous representation of modules in that grid. Following that, we present "FAST" method which can conveniently recover erroneous modules from that binary grid. Afterwards, using this binary grid, our solution extracts the structural features of fancy QR code and predicts its legitimacy using a pre-trained model. The effectiveness of our proposal is demonstrated by the experimental evaluation on a synthetic dataset (containing diverse variations of fancy QR codes) and achieve a FNR of 0.06% only. We also develop the mobile app to test the practical feasibility of our solution and provide a performance comparison of the app with the real-world QR readers. This comparison further highlights the classification reliability and detection accuracy of this solution in real-world environments.

翻译：使用快速响应（QR）码进行的网络钓鱼被称为“Quishing”。攻击者利用这种方法诱骗个人泄露其机密数据。近年来，我们观察到二维码呈现出色彩丰富且精美的表现形式，其二维矩阵不再呈现典型的黑白模块混合特征。相反，它们作为攻击载体对攻击者更具诱惑力，能够规避当前最先进的基于视觉的深度学习及其他主流防御措施。本文提出“ALFA”，一种通过设计保障安全的方法，以缓解Quishing攻击并防止任何人访问精美二维码扫描后的有害负载。我们的方法首先将精美二维码转换为二进制网格的复制品，然后识别该网格中模块的错误表示。随后，我们提出“FAST”方法，能够便捷地从该二进制网格中恢复错误模块。之后，利用此二进制网格，我们的解决方案提取精美二维码的结构特征，并使用预训练模型预测其合法性。通过在合成数据集（包含多种精美二维码变体）上的实验评估，证明了我们方案的有效性，仅实现了0.06%的漏报率。我们还开发了移动应用程序以测试该方案的实际可行性，并将该应用与现实世界中的二维码阅读器进行性能比较。这一比较进一步凸显了该解决方案在真实环境中的分类可靠性和检测准确性。