Implementation and Analysis of QR Code Phishing Attacks on Indonesian Internet Banking Using Attack Tree and Time-Based Metrics

Shavira Eka  Yuniati; Adityas Widjajarto; Umar Yunan Kurnia Septo  Hediyanto

doi:10.52436/1.jutif.2026.7.1.4819

Authors

Shavira Eka Yuniati Information System, Telkom University, Indonesia
Adityas Widjajarto Information System, Telkom University, Indonesia
Umar Yunan Kurnia Septo Hediyanto Information System, Telkom University, Indonesia

DOI:

https://doi.org/10.52436/1.jutif.2026.7.1.4819

Keywords:

Attack tree, Attack experiment, Quishing attack, Social engineering, Time metric

Abstract

The development of technology in Internet banking services facilitates customers’ financial transactions. However, this can also create opportunities for cybercrime threats, including a quishing attack. A quishing attack is a type of phishing attack that uses a QR Code to redirect victims to a fake website to steal sensitive information. This research formulates an attack tree model for quishing attacks by combining OSINT, social engineering, and QR Code exploitation, structured using data flow diagrams and evaluated with time-based metrics. The attack was simulated as a Proof of Concept (PoC) to realistically depict the stages of exploitation. Results from the experiments show that the fastest attack path using the OSINT tool Truecaller, the social engineering tool SEToolkit, and the QR Code tool Qrencode takes 248.31 seconds. This path is considered more efficient, outperforming the second fastest combination, which uses the OSINT tool Find Mobile Number Location by 25.15 seconds, with a total time of 273.46 seconds. Truecaller’s advantage lies in its ability to obtain data quickly without requiring a geographic location process like the Find Mobile Number Location tool. This approach shows that banking institutions can integrate time-based metric attack trees to assess vulnerability response times, simulate realistic threat scenarios, and develop more effective incident response strategies to prevent unauthorized access during quishing attacks.

Downloads

Download data is not yet available.

References

B. Novendra and S. S. Aulianisa, “Konsep dan Perbandingan Buy Now, Pay Later dengan Kredit Perbankan di Indonesia : Sebuah Keniscayaan di Era Digital dan Teknologi,” J. Rechts Vinding, vol. 9, no. 2, pp. 183–201, 2020, doi: https://dx.doi.org/10.33331/rechtsvinding.v9i2.444.

A. Muftiadi, T. P. M. Agustina, and M. Evi, “Studi Kasus Keamanan Jaringan Komputer: Analisis Ancaman Phising terhadap Layanan Online Banking,” Hexatech J. Ilm. Tek., vol. 1, no. 2, pp. 60–65, 2022, doi: 10.55904/hexatech.v1i2.346.

T. Nugraheni, A. Sinurat, and D. A. Kian, “Analisis Yuridis Penerapan Perlindungan Hukum dalam Melindungi Pengguna Layanan Internet Banking dari Cyber Crime,” J. Hukum, Polit. dan Ilmu Sos., vol. 3, no. 2, 2024, doi: https://doi.org/10.55606/jhpis.v3i2.3715.

T. Rains, Cybersecurity Threats, Malware Trends, and Strategies. 2020.

I. R. Hidayah, “Representasi Social Engineering Dalam Tindak Kejahatan Dunia Maya (Analisis Semiotika Pada Film Firewall),” Tibanndaru J. Ilmu Perpust. dan Inf., vol. 4, no. 1, p. 30, 2020, doi: 10.30742/tb.v4i1.905.

E. J. Pranata and L. Ependi, “Phishing terhadap Website Bank BCA,” J. Trends, vol. 01, no. 01, pp. 34–40, 2023, doi: https://doi.org/10.56772/trends.v1i1.293.

B. Wibowo and T. Hidayat, “Strategi Efektif dalam Meningkatkan Kesadaran Keamanan Siber terhadap Ancaman Phishing di Lingkungan Perusahaan PT. XYZ,” J. Pengabdi. Masy. Sultan Indones., vol. 2, no. 1, pp. 1–9, 2024, doi: 10.58291/abdisultan.v2i1.294.

Fridayani and B. Cuaca, “Transaksi Keuangan Digital Menggunakan QRIS Ditinjau dari Aspek Hukum,” Teach. Learn. J. Mandalika, vol. 4, no. 2, pp. 164–174, 2023, [Online]. Available: http://ojs.cahayamandalika.com/index.php/teacher

A. R. H. Martawireja, R. Ridwan, A. P. Hafidzin, and M. Taufik, “Proteksi Keamanan Data pada Quick Response (QR) Code,” J. Teknol. dan Rekayasa Manufaktur, vol. 3, no. 2, pp. 99–110, 2021, doi: 10.48182/jtrm.v3i2.58.

G. A. Amoah and H.-A. J.B., “QR Code Security: Mitigating the Issue of Quishing (QR Code Phishing),” Int. J. Comput. Appl., vol. 184, no. 33, pp. 34–39, 2022, doi: 10.5120/ijca2022922425.

D. Njuguna and J. Ndia, “Quick Response Code Security Attacks and Countermeasures : A Systematic Literature Review,” J. Cyber Secur., 2025, doi: 10.32604/jcs.2025.059398.

N. Naik, P. Jenkins, P. Grace, D. Naik, S. Prajapat, and J. Song, “A Comparative Analysis of Threat Modelling Methods : STRIDE, DREAD, VAS , PASTA, OCTAVE, and LINDDUN,” 2024, doi: https://doi.org/10.1007/978-3-031-74443-3_16.

I. Zografopoulos, J. Ospina, X. Liu, and C. Konstantinou, “Cyber-Physical Energy Systems Security: Threat Modeling, Risk Assessment, Resources, Metrics, and Case Studies,” Cyber-Physical Energy Syst. Secur., vol. 9, pp. 29775–29818, 2021, doi: 10.1109/ACCESS.2021.3058403.

M. Tatam, B. Shanmugam, S. Azam, and K. Kannoorpatti, “A Review of Threat Modelling Approaches for APT-Style Attacks,” Heliyon, vol. 7, no. 1, p. e05969, 2021, doi: 10.1016/j.heliyon.2021.e05969.

S. Chlup, K. Christl, C. Schmittner, M. A. Shaaban, S. Schauer, and M. Latzenhofer, “THREATGET : Towards Automated Attack Tree Analysis for Automotive Cybersecurity,” J. Inf., vol. 14, no. 14, pp. 1–28, 2023, doi: https://doi.org/10.3390/info14010014.

L. Kuipers, “Analysis of Attack Trees : Fast Algorithms for Subclasses,” 2020.

N. Naik, P. Grace, P. Jenkins, K. Naik, and J. Song, “An Evaluation of Potential Attack Surfaces Based on Attack Tree Modelling and Risk Matrix Applied to Self-Sovereign Identity,” Comput. Secur., vol. 120, p. 102808, 2022, doi: 10.1016/j.cose.2022.102808.

F. Sharevski, A. Devine, E. Pieroni, and P. Jachim, “Phishing with Malicious QR Codes,” ACM Int. Conf. Proceeding Ser., pp. 160–171, 2022, doi: 10.1145/3549015.3554172.

M. Weinz, N. Zannone, L. Allodi, and G. Apruzzese, The Impact of Emerging Phishing Threats : Assessing Quishing and LLM-generated Phishing Emails against Organizations, vol. 1, no. 1. arXiv, 2025. doi: 10.1145/3708821.3736195.

P. C. Ariani et al., “Comparative Analysis of Phishing Tools on Social Media Sites,” Ultim. J. Tek. Inform., vol. 15, no. 1, pp. 22–27, 2023, doi: https://doi.org/10.31937/ti.v15i1.2920.

Yusuf Raharja, “Implementasi Metode OSINT untuk Mengidentifikasi Serangan Judi Online pada Website,” J. Inform. Polinema, vol. 10, no. 3, pp. 359–364, 2024, doi: 10.33795/jip.v10i3.4847.

R. Ganesh and G. Prabu, “Determination of Internet Banking Usage and Purpose with Explanation of Data Flow Diagram and Use Case Diagram,” Int. J. Manag. Humanit., vol. 0913, no. 7, pp. 52–58, 2020, doi: 10.35940/ijmh.G0674.034720.

A. Y. Aleryani, “Analyzing Data Flow: A Comparison between Data Flow Diagrams (DFD) and User Case Diagrams (UCD) in Information Systems Development,” Eur. Mod. Stud. J., vol. 8, no. 1, pp. 313–320, 2024, doi: 10.59573/emsj.8(1).2024.28.

A. W. Pratiwi, A. Widjajarto, and A. Budiyono, “Pemodelan Attack Tree Pada Spear Phishing Attack di Instansi Publik dengan Metrik Granularitas Data,” J. Inf. Syst. Res., vol. 6, no. 1, pp. 76–86, 2024, doi: 10.47065/josh.v6i1.5876.

M. Nobili, “Review OSINT Tool for Social Engineering,” vol. 6, 2023, doi: 10.3389/fdata.2023.1169636.