Are you sure about the safety of that QR code?

QR Code
(Image credit: Pixabay)

It is predicted that by 2022, over five billion QR codes will have been scanned or accessed by mobile devices.  A QR code is an additional form of contactless communication that, once scanned, either relays information or directs an individual to another online source, website or application. QR code adoption has increased with the contactless way of life that many of us have had to adjust to, especially during the worldwide pandemic. 

QR codes are frequently seen on advertisements, travel tickets, legal and health documentation, as well as social media platforms like Facebook, WhatsApp and SnapChat. They have been used as an alternative to menus in restaurants and we even have the ability to use them to transfer money. Some countries have adopted this technology more than others. For instance, in China, QR codes are now the de facto way of life through apps like WeChat. In the UK, during the pandemic, individuals would commonly see and use QR codes when entering outside venues or logging coronavirus information for the NHS. In the US, during the presidential elections, flyers were handed out to the population which contained QR codes to help individuals check whether they were signed up to vote.

Once any of these QR codes are scanned, users are notified and prompted to go to an external webpage typically to enter some level of credentials or even personal information. While the use cases are plentiful, there are many security risks associated with QR code technology that can be exploited by hackers when deploying cyberattacks and online scams.

About the author

Hank Schless is Senior Manager of Security Solutions at Lookout

QR codes and cyberattacks

From an attacker’s perspective, QR codes present the perfect opportunity to target the masses without much effort. This shares many similarities with a phishing scam, which is the most popular attack vector for modern hackers. As mentioned, a QR code is a contactless method for a mobile device to read a URL. In terms of creating a malicious QR code, hackers need only to replicate the steps they take when manufacturing a phishing scheme. Phishing is the most common tactic used with QR codes and can be easily implemented – there are even designated QR code phishing kits that are readily available, cheap and highly customisable. This means hackers can imitate the world’s most popular brands to extract sensitive information from their customers.

From the real-life use cases above, a threat actor could easily manufacture a similar QR code to extract information including personally identifiable information. These ‘call-to-action’ security issues, whereby the unsuspecting user must provide a response or interact (i.e. scan the code) to initiate the scam, are prevalent in the cyber underworld.

For instance, if a consumer was expecting to login and activate a service, cybercriminals could place a QR code within that site and redirect that user to a new website with security issues or even request the download of a malicious application. Furthermore, emails or SMS messages can contain malicious QR codes which will look to negatively impact the device. Hackers have been known to send fake tracking messages with QR codes when imitating real delivery services.

In the cryptocurrency space, QR codes are used to help mobile devices locate virtual wallet addresses to transfer bitcoin or other cryptocurrencies. However, scammers have quickly realized a simple flaw that can become extremely costly for the victim. Because a QR code can be created by almost anyone, one could be tricked to send money to a hacker’s wallet instead of the one intended; and because of how hard it is to distinguish one QR code from another, the victim is none the wiser. In fact, a network of Bitcoin-QR code generators have reportedly stolen thousands from victims in the past year.

Inputting malicious content into a QR code can be achieved with little effort and with the widespread use of this technology, hackers have ample opportunities to adapt their own codes over existing ones without being detected.

QR codes and the workplace

Due to the current global situation, many individuals are working remotely and turning their personal devices into work devices to stay productive outside the office environment. However, this presents a significant issue to the overall security of the corporate infrastructure and the sensitive contents held within these four walls. An employee could unwittingly scan a malicious QR code, login using their credentials and allow a hacker to either collect the login details or install software that can spy or steal sensitive assets.

Due to the popularity of QR codes around the world and across all industries, businesses that use this technology should be on high alert to detect any possible scams. As previously mentioned, QR code campaigns mirror those of phishing schemes and should be viewed in the same way. When using a mobile device, most users are not cautious and there is the added difficulty of being unable to spot the tell-tale signs of a phishing threat due to the small nature of the device.

How to prevent QR code cyberattacks

Firstly, more awareness being provided to users could significantly decrease the number of malicious QR code attacks. When scanning a code via a mobile device, users should check the URL link on the notification before continuing to click through. If it looks suspicious and doesn’t sound like what you expected, users can exercise that same level of caution they would as with email phishing and exit the application. But, given that attackers can make up virtually any URL to fit a QR Code and vice versa, it can be extremely difficult to spot the fake from the real – and this can catch out even the most trained professionals. Therefore, implementing a mobile threat defence needs to be enforced on all endpoints to protect users from interacting with malicious websites, apps, or networks. Businesses wouldn’t operate a desktop or laptop without adequate security; therefore, mobile devices must be given the same level of attention - especially as individuals continue to operate outside the traditional security perimeter.

As we continue to work remotely, mobile devices have also become the tools we use to stay productive and because of the personal aspect, they are a prime target for mobile scams. QR code threats will continue to be constant issue as mobile adoption increases and as people converge their work and personal devices.

You might want to check out our guide on how to scan QR codes on your iPhone or iPad.

Hank Schless is Senior Manager of Security Solutions at Lookout