Don't overlook the security risk posed by QR codes

QR Code scanned via phone
(Image credit: Metapixel)

The distinctive monochrome pattern of the QR code has become an increasingly common sight in recent years. And, like any other form of technology you can imagine, cyber criminals are doing their best to exploit it in their attacks.

About the author

Magni Reynir Sigurðsson is the Senior Manager of Detection Technologies at Cyren.

Quick Response codes are nothing new, having first been devised in 1994 as a way of tracking car parts during manufacturing. The technology gradually migrated into a much broader array of uses, although often struggled to gain much traction as a consumer tool.

Today however, smartphones and mobile connectivity have caught up to the QR codes’ potential, and the digital tiles now provide handy shortcuts for consumers to complete actions or get more information. They are commonplace on travel and event tickets in many countries, with restaurant menus and advertisements being other popular uses. And of course, anyone who has done a COVID test will have noticed a QR code as an alternative to typing out the long string of ID numbers.

They have also seen increased use in business settings, including tracking products and parts through supply chains and authorizing documents such as payments.

But the more mainstream the technology has become, the more attractive it has become for threat actors. The same accessibility that makes the QR code a useful tool also makes it an effective vector for phishing and malware delivery.

What makes QR codes so useful for criminals?

There are several factors that make QR codes an appealing attack tool. Codes can be used in emails as a substitute for URL links or attached files. In normal use, this will automatically redirect the recipient to a specified web page or interact with a specialized device or application. Attackers can exploit this trait to disguise a phishing URL or malware download link that might otherwise be picked up by email gateways or other anti-phishing cybersecurity solutions.

The oblique nature of the QR code also helps to disguise dangerous content. Savvier users have learned to be suspicious of unusual URLs and watch out for links that don’t seem to match up to their stated purpose. But the QR code itself is not malicious and there is nothing to give one set of pixelated squares away as a potential threat. This, combined with our growing familiarity with the technology, means many users will simply wave through a QR code where they might have been suspicious of a normal link.

Added to this, the codes are usually intended to be scanned by a smartphone, which means a user that opened an email on their desktop endpoint will be jumping devices. This will often mean switching to a less secure personal device, particularly in the age of remote working. As a result, the target will likely have less security protection than if they had simply followed a malicious link on their original endpoint.

How are QR codes exploited in phishing?

QR code attacks use the same broad tactics as standard phishing campaigns. Targets will be sent an email with a required action to encourage them to interact with the QR code. On the consumer side, this might be tracking or paying for a delivery, or an offer of a free giveaway or competition. Business-focused attacks will use familiar narratives around invoices and other urgent documentation. Using the QR code as a shortcut to update and secure an IT profile or online account (e.g. password reset or verification) is common in both fields.

Scanning the QR code will redirect the victim to a fraudulent phishing site to harvest usernames, passwords, bank details, and any other personal information the criminals can convince the target to give up.

The fraudulent site will then gather any credentials the victim might enter, from usernames and passwords to bank details and social security numbers, and this data will be consequently used by the attackers for malicious purposes. As with any other data theft campaign, these details can then be used for a wide range of malicious activities, including account takeovers, network infiltration, and financial fraud.

While we primarily see QR codes in phishing, they can also be used as an effective vector for malware. Scanning the code can be used to visit a website that covertly triggers a malware download, or a dummy app store that tricks the user into installing a malicious application. Malware such as keyloggers can then be used to steal credentials and data for further attacks, or the device can even be co-opted to send SMS messages to an expensive number owned by the criminal group.

How can organizations defend against QR code attacks?

QR code attacks are still somewhat rare for now, perhaps because standard phishing tactics have continued to provide criminals with a reliable income. However, as email security improves, attackers will continue to explore novel evasion techniques that will increase their chances of reaching and deceiving their targets. With this in mind, organizations must ensure they can protect both their customers as well as themselves from these techniques. As with standard phishing, this requires a combination of user education and security technology.

User awareness is important here, particularly as QR codes have become such familiar sights. Just as most people now know to be suspicious of unsolicited emails and unusual links, they should be made aware of the potential risk from a malicious QR code.

While the code itself means nothing to the human eye, activating it leads to a URL, and users will need to take at least one more action to execute the attack. They need to apply their judgment at this moment and look out for red flags in the URL, rather than just accepting wherever the code sends them to. Similarly, while the QR codes take the place of traditional links and file attachments, the email body will still need to use the same tricks threat actors have been using for years. Spoofed sender names and errors in language and branding can still give the game away.

Organizations should also be sure to provide both their employees and customers with a clear channel to flag suspected phishing attempts. They can do this by implementing a specialized email threat detection solution that is able to seamlessly adapt as attackers change tactics. Individuals should be able to instantly raise any concerns and get support the moment a suspicious email comes in.

It’s also important for enterprises to step up their efforts to detect and eliminate these malicious messages before their intended fall victim. The use of QR codes is just one example of how attackers are moving away from emails that can be detected by signature- and threat intelligence-based security solutions. The emphasis should be on real-time analysis rather than databases of known threats, with solutions designed to spot more subtle signs such as mismatched sender IDs.

At Techradar Pro, we've featured the best endpoint protection software.

Magni Reynir Sigurðsson is the Senior Manager of Detection Technologies at Cyren, an established provider of advanced threat detection and threat intelligence solutions for enterprise, service providers, and cybersecurity solutions vendors.