QR codes (quick response codes) have become commonplace in the years since social media took off. Many individuals utilize QR codes in the place of traditional movie and concert tickets, to distribute virtual invitations, or to enter credit card information when making purchases. Especially during the COVID-19 pandemic, many restaurants switched over from traditional, physical menus and began implementing QR codes to promote contactless ordering.
QR codes offer several benefits over traditional URLS and links including faster transmission speed, the ability to store larger amounts of data, and their ease of creation. Anyone can go on the internet and create their own unique code in a matter of seconds. Because QR codes are so common, many will scan one without thinking of where it might lead or the data it might contain. The purpose of this blog is to educate individuals on the risks associated with malicious QR codes and how you can protect your data.
Static QR Codes: Static QR codes are as the name implies, static. They are assigned information that isn't meant to change or be updated such as a URL or contact information. The codes become useless if the URL or information within the code changes or is updated.
Dynamic QR Codes: Dynamic QR codes allow the creator to change or update its information as they see fit. These codes point to a server where the data is held and when updated display the new information. These codes are often used for special deals or events that may change times.
"Quishing" combines a malicious QR code with the tactics of phishing in order to trick a user into scanning a false code. These attackers will create a QR that contains a phishing link or download for malware to send to individuals or a group of people. These codes may be sent through emails, social media, or even placed in the real world on signs or posters. Once the victim scans the code, they are taken to the phishing site where their login credentials may be harvested. The code may also download malware immediately in order to compromise the device.
This tactic also utilizes social engineering in order to trick users into scanning a QR code and granting attackers access to an account or application. QRLjacking takes advantage of the QR codes in MFA or single sign on applications. Once again, the malicious code is distributed via email or SMS messaging and recreates the target site or logon page. The victim will then enter their credentials into the fake application and unknowingly give away their login credentials. This attack may often lead to the total hijacking of a victims account and if good password polices aren't followed, may extend to other applications.
QR code scams are easy to create due to the fact that these codes can be placed virtually anywhere, and false once are very hard to distinguish from legitimate ones. A common QR code scam that exists in the real world are code payment scams. Attackers will create a code, print it out on a sticker, and place it on a sign or building for victims to easily see. Often times these codes will be put in front of a public parking lot in the hopes that victims will scan it in order to pay for parking. These codes may also be placed around gas stations or other retail stores to encourage users to "skip the line" and pay through their QR code. These codes link to a malicious site or download that steals the victim's information.
Another common tactic involves attacker placing fake QR codes on packages and sending them directly to victims through the mail. The individual may wonder why they received a package they weren't expecting and the QR code may ask them to scan it for more information about returns. Individuals should also be wary of QR code scanning apps that exist on the various app stores. These apps claim to provide QR scanning services but are no more that spyware or in some cases advanced malware. Your camera should come with the ability to scan QR codes natively and an app is most likely not required.
There are several, easy steps you can take to protect yourselves from QR code scams. First, you should always preview the link before following the code to its destination. Is it linking to a legitimate website? Or does the URL contain misspellings or random characters. If you don't recognize the URL, then you probably shouldn't follow it. You should also check for signs of QR code tampering. If you're at a restaurant and it looks like a sticker has been placed over the original QR code, that may be a sign that it's been swapped out for a malicious code. Lastly, don't scan or trust QR codes from strangers whether it be online through email and SMS messaging or in person.
Follow CorpInfoTech on social media to learn more about the latest trends in cybersecurity!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP), firewall management, and vulnerability management. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.