New qishing campaign targets e-commerce payment gateways
A dangerous new qishing campaign is targeting e-commerce payment gateways. Learn how to secure your transactions and use our safe QR code generator.

The threat of qishing (QR code phishing) has reached a critical milestone in terms of technical sophistication. Recently, cybersecurity researchers discovered a global campaign actively exploiting payment gateways integrated into e-commerce sites. Unlike traditional email phishing scams that rely on static text links, this campaign dynamically manipulates client-side elements to replace legitimate checkout QR codes with fraudulent alternatives owned by cybercriminals.
This in-depth technical analysis covers the mechanics of the attack, its evasion techniques, and the steps you can take to secure your digital store and customers against this growing threat.
What is Qishing and How Does it Target E-Commerce?
Qishing combines "QR Code" and "Phishing." While standard phishing filters easily identify bad URLs, qishing hides the malicious link within a two-dimensional image (the QR code). Security scanners must perform optical character recognition (OCR) and decode the image to parse the URL, which introduces processing overhead and bypasses simple perimeter filters.
In e-commerce, QR codes are commonly used for digital wallets, instant bank transfers, and cryptocurrency payments during checkout. When a customer reaches the payment page, they expect the displayed QR code to process their payment securely.
In this campaign, hackers exploit Cross-Site Scripting (XSS) vulnerabilities or compromised third-party plugins in the website's Content Management System (CMS). When the payment page renders, a malicious script intercepts the container of the QR code and swaps the image with the attacker's QR code. The unsuspecting buyer scans the code, verifies the secure HTTPS indicator of the e-commerce store, and completes the payment, inadvertently sending their funds directly to the criminal's wallet.
Modus Operandi of the Payment Gateway Attack
Security researchers have highlighted the high level of planning behind this campaign. Instead of relying solely on generic phishing emails, the threat actors execute a multi-stage compromise:
- Supply Chain Exploitation: Attackers identify and exploit legacy JavaScript libraries or plugins in popular e-commerce frameworks.
- Dynamic Replacement: A lightweight script monitors the Document Object Model (DOM) for payment-related elements.
- Visual Spoofing: The fake QR code integrates corporate logos in its center, mimicking the visual style of trusted payment providers.
- Agent-Based Redirection: The URL embedded in the QR code points to a dynamic redirector. This server checks the visitor's User-Agent; it only displays the phishing page to mobile devices, rendering blank pages or harmless redirects to automated security crawlers.
The table below contrasts the typical user flow of a legitimate payment transaction with the compromised qishing flow:
| Transaction Phase | Legitimate Payment Flow | Compromised Qishing Flow |
|---|---|---|
| 1. Payment Selection | Customer chooses to pay via QR code. | Customer chooses to pay via QR code. |
| 2. QR Code Generation | Server generates a unique QR transaction code. | Malicious script intercepts the payment container. |
| 3. UI Rendering | System shows QR code pointing to merchant wallet. | System renders the attacker's fraudulent QR code. |
| 4. Scan & Authorization | Customer scans QR and completes the payment. | Customer scans QR and pays the attacker's address. |
| 5. Order Status | E-commerce updates the order to "Paid". | Session expires, or a fake network error is shown. |
Technical Analysis of Evasion Methods
Traditional email gateways and Web Application Firewalls (WAF) face significant challenges in detecting qishing. The core of the problem lies in image processing: running OCR and decoders on every single image asset in real time is computationally expensive.
Furthermore, attackers use advanced URL obfuscation methods. Even if a scanner decodes the QR code, the link might employ homograph attacks (using Unicode lookalike characters) or leverage complex subdomains like login.secure.bank.com.attacker-domain.xyz to fool security parsers.
For a deeper understanding of how these redirects function, read our comprehensive guide on identifying URL redirection phishing and how to detect malicious routing behavior.
Python Script: Auditing and Decoding QR Codes
Developers and system administrators can protect their platforms by implementing automated checks on generated QR codes. The Python script below downloads a QR code image, extracts its payload, and traces HTTP redirects to inspect the final landing URL:
import requests
from PIL import Image
from pyzbar.pyzbar import decode
import urllib.parse
def analyze_qr_code(image_path):
print(f"[*] Analyzing image asset: {image_path}")
try:
# Load and decode the QR code
img = Image.open(image_path)
decoded_objects = decode(img)
if not decoded_objects:
print("[-] No QR codes found in the image.")
return
for obj in decoded_objects:
detected_url = obj.data.decode('utf-8')
print(f"[+] Decoded URL: {detected_url}")
# Extract domain
domain = urllib.parse.urlparse(detected_url).netloc
print(f"[*] Destination Domain: {domain}")
# Safely trace HTTP redirects
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'}
response = requests.get(detected_url, headers=headers, allow_redirects=True, timeout=5)
print(f"[+] Final Destination: {response.url}")
if response.url != detected_url:
print("[!] Warning: QR code utilizes intermediate redirects.")
except Exception as e:
print(f"[-] Analysis failed: {str(e)}")
# Usage example
# analyze_qr_code("payment_receipt.png")
This script leverages pyzbar for decapsulating the QR matrix and the requests library to inspect redirect patterns. You can integrate this code into a cron job or build pipeline to test transaction templates.
Best Practices to Secure E-Commerce Checkout
Protecting your store from qishing requires a multi-layered security strategy. We recommend implementing the following security measures:
- Cryptographic QR Signing: Sign QR code image assets server-side. The client-side application must verify this signature before rendering the image to prevent unauthorized DOM modification.
- Third-Party Dependency Audits: Regularly audit CMS plugins and themes using static and dynamic analysis. Learn more about software security testing in our guide on SAST and DAST code audits for secure development.
- Strict Content Security Policy (CSP): Configure robust CSP headers to restrict JavaScript execution and prevent the loading of images or scripts from untrusted external domains.
- Verification Prompts: Encourage payment processors to display transaction metadata (such as the merchant name and total amount) directly inside the user's mobile payment app.
- Security Awareness: Inform users how social engineering tactics work. For further details on psychological manipulation in cybersecurity, read our article on human hacking and social engineering.
Conclusion
Qishing has evolved into a major threat to e-commerce merchants. By bypassing traditional text-based filters and altering payment interfaces directly, hackers can silently hijack transactions. Keeping your dependencies updated, implementing strict CSP policies, and auditing QR codes are vital steps to secure your online business.
If you need a reliable way to generate QR codes without security compromises, try our free QR Code Generator. Unlike other web services, our tool processes all data locally on your machine, preventing data harvesting and redirect tampering.
Sources and External References:
- Cybersecurity and Infrastructure Security Agency (CISA) — Bulletins and guides on mitigating QR code phishing attacks.
- World Wide Web Consortium (W3C) — Official specifications for implementing Content Security Policy (CSP).
- Related post on TecnoCrypter: Qishing: The QR Code Phishing Scam
- Related post on TecnoCrypter: Clipboard Malware and QR Code Scams


