Back to Portfolio
Content Pipeline Automation

Cross-Device Mitigation: Automating QR-Code Phishing (Quishing) Interception

A proactive content pipeline modification that intercepts credential-harvesting QR codes in player-to-player messaging before they reach the user. Combines computer vision, domain intelligence, and headless browser heuristics to neutralize cross-device phishing at platform scale.

Quishing DetectionQR Code PhishingComputer Vision (ZBar / OpenCV)Google Safe Browsing APIPlaywright / PuppeteerHeadless Browser SandboxHeuristic AnalysisCross-Functional Automation

The Challenge

Malicious actors bypass text-based URL filters in player-to-player messaging by embedding phishing links inside QR codes. This threat vector — known in the industry as “Quishing” — shifts the victim from a monitored console or PC chat environment directly onto an unmanaged mobile phone.

!The Tactic

  • Attackers share images masquerading as official platform login bonus pages, Discord verification loops, or security checks.
  • Unsuspecting users scan the image with their mobile phones, landing on a cloned credential-harvesting page that compromises their gaming account.
  • Traditional URL blocklists are blind to image-embedded payloads — the phishing link never appears in plain text.

The core problem: text-based filters cannot see what is inside an image. The QR code is the bridge that bypasses every static detection layer.

Media Ingestion Pipeline

This workflow runs asynchronously in the media ingestion pipeline to catch and flag QR code images instantly — before they render to the recipient.

Trigger

User Image Upload

Image is sent in player-to-player chat or posted to a profile. It passes through the automated scanning microservice before rendering to the recipient.

Step 1

Image OCR & QR Parser

A computer vision library (ZBar / OpenCV) checks the image for QR code patterns. If detected, the algorithm reads the matrix and extracts the raw destination URL payload.

Step 2

Domain Reputation Check

The extracted URL hits a rapid two-phase filtration gate:

  • Known Malicious — Domain checked against Google Safe Browsing API, Web Risk API, and internal blocklist.
  • Shortener Resolution — If bit.ly / tinyurl.com, follow HTTP redirects to uncover the final canonical destination.
Step 3

Headless Browser Inspection

For fresh or unknown domains that bypass static blocklists, the system triggers a secure headless browser sandbox (Playwright / Puppeteer):

  • DOM Scanning — Inspects HTML for input type="password" forms and login page phrases.
  • Visual Clustering — Lightweight visual AI checks if the page resembles the official brand identity, logo placement, or CSS layout of the platform without being on an official domain.
Mitigation

Risk Mitigation

If the heuristic engine confirms a password trap, the workflow executes the platform response:

  • Hard Block + Auto-Ban — For confirmed malicious matches (known domain + password form detected).
  • Dynamic Interstitial Warning — A high-risk warning screen injected into the UI if the user attempts to interact with the image message.
  • Escalation Queue — Suspicious but inconclusive images are escalated to human analyst review with full forensic context.

User-Facing Intervention

Instead of rendering the raw link or allowing an unrestricted scan, the system intercepts the click and displays a trust and safety interstitial directly in the chat interface:

Safety Alert

The QR code you are attempting to interact with redirects to an unverified third-party login page. To protect your digital assets, never input your platform password or account credentials outside the official application.

Operational Architecture

1

Image Parsing & Payload Extraction

When an image is uploaded, it passes through the automated scanning microservice. A computer vision library (ZBar or OpenCV models) checks for QR code patterns. If detected, the algorithm reads the matrix and extracts the raw destination payload string (e.g., https://sec-fake-login.com/auth).

2

Tiered Database Validation

The extracted URL passes through a rapid two-phase filtration gate. First, the domain is checked against real-time reputation feeds (Google Safe Browsing API, Web Risk API, or the platform's internal malicious domain registry). If the URL is shortened, the workflow follows HTTP redirects to uncover the final canonical destination page.

3

Dynamic Page Analysis (Heuristic Engine)

If the domain is fresh or unknown (bypassing static blocklists), the system triggers a secure headless browser sandbox to open the page invisibly:

  • DOM Scanning: Inspects HTML for password fields and login phrases like “Sign in with your Account.”
  • Visual Clustering: Lightweight visual AI checks if the landing page resembles the official brand identity, logo placement, and CSS layout of the platform without being hosted on an official domain.
4

Friction & Mitigation Execution

If the heuristic engine determines the page is a password trap, the system intercepts the interaction and appends a high-risk interstitial warning screen in the UI. The message warns users not to input credentials outside the official application. For confirmed malicious matches, the image is hard-blocked and the account is auto-banned.

Quantifiable Impact

92%

Detection breadth — expanded platform phishing visibility into multi-modal image-based vectors, capturing unlinked credential-harvesting loops

40%

Reduction in account takeovers (ATO) originating from player-to-player chat links, quarter-over-quarter

<350ms

Operational latency — image-parsing pipeline executes in under 350ms with zero impact on real-time chat latency for valid users

Detection Breadth

Expanded platform phishing visibility into multi-modal (image-based) vectors, capturing 92% of unlinked credential-harvesting loops that previously evaded text-based URL filters.

Account Compromise Rate

Reduced user account takeovers (ATO) originating from player-to-player chat links by 40% quarter-over-quarter, directly attributed to the new image-scanning pipeline.

Operational Latency

Optimized the image-parsing pipeline to execute fully under 350ms, ensuring zero impact on real-time chat latency for valid users while maintaining 100% scanning coverage of all image uploads.

“Quishing exploits the gap between platform-controlled environments and unmanaged mobile devices. The only way to close it is to treat every image as a potential delivery mechanism — and automate the inspection at pipeline speed.”

Core Principle — Cross-Device Phishing Mitigation

Skills & Methodologies

Quishing DetectionQR Code PhishingComputer Vision (ZBar / OpenCV)Google Safe Browsing APIPlaywright / PuppeteerHeadless Browser SandboxHeuristic AnalysisCross-Functional Automation

Try It Yourself

Keyword "secure" in domainKeyword "verify" in domainBrand "playstation" embedded in domainPath "/login" — credential form patternQuery "bonus" — reward lure

5 signals triggered → pipeline returns HARD BLOCK (threshold: 2+)

https://secure-playstation-verify.com/login?return=bonus&campaign=spring2026

Then drop it into the Live Pipeline Test below

https://secure-gaming-verify.com/login?return=bonus

Simulated Phishing Page — For Demonstration Only

PS

Sign in to Gaming Network

Enter your Sign-In ID and password to access your account and claim your Spring Bonus reward.

Not HTTPS — connection is not secure

Domain does not match official playstation.com

Page registered 3 days ago — newly created domain

THIS IS A SIMULATED PHISHING PAGE FOR EDUCATIONAL PURPOSES. DO NOT ENTER REAL CREDENTIALS.

Live Pipeline Test

Upload any image to run it through the actual QR detection pipeline in real time. The tool uses jsQR for client-side QR decoding and applies the same heuristic reputation engine described above. No data is sent to any server — everything runs in your browser.

Drop an image here or click to upload

Supports PNG, JPG, WEBP — any image with a QR code