It is predicted that by 2022, more than five billion QR codes will be scanned or accessed by mobile devices. A QR code is an additional form of contactless communication that, when scanned, transmits information or directs a person to another online source, website, or application. QR code adoption has increased along with the contactless lifestyle many of us have had to adjust to, especially during the global pandemic. QR codes are frequently seen on advertisements, travel tickets, legal and health literature, as well as on social media platforms such as Facebook, WhatsApp, and SnapChat. They have been used as an alternative to restaurant menus and we even have the option of using them to transfer money. Some countries have adopted this technology more than others. For example, in China, QR codes are now the de facto way of life thanks to apps like WeChat. In the UK, during the pandemic, people generally viewed and used QR codes when entering outdoor venues or recording coronavirus information for the NHS. In the United States, during the presidential elections, leaflets containing QR codes were distributed to the public to help people verify if they were registered to vote. Once one of these QR codes is scanned, users are notified and prompted to go to an external web page to enter some level of credentials or even personal information. Although there are many use cases, there are many security risks associated with QR code technology that hackers can take advantage of when implementing cyberattacks and online scams. About the Author Hank Schless is Senior Director of Security Solutions at Lookout
QR codes and cyber attacks
From an attacker's perspective, QR codes present the perfect opportunity to target the masses without much effort. It shares many similarities with a phishing scam, which is the most popular attack vector for modern hackers. As mentioned, a QR code is a contactless method for a mobile device to read a URL. When it comes to creating a malicious QR code, hackers just need to double the steps they take when crafting a phishing program. Phishing is the most common tactic used with QR codes and can be easily implemented; There are even QR code phishing kits that are readily available, inexpensive, and highly customizable. This means that hackers can emulate the world's most popular brands to extract sensitive information from their customers. Based on the actual use cases above, a threat actor could easily create a similar QR code to extract information, including personally identifiable information. These 'call to action' security issues, where the unsuspecting user must provide an answer or interact (ie scan the code) to initiate the scam, are common around the world. For example, if a consumer was hoping to log in and activate a service, cybercriminals could place a QR code on that site and redirect that user to a new website with security issues or even request to download a malicious app. Also, emails or SMS messages may contain malicious QR codes that will appear to have a negative impact on the device. Hackers have been known to send fake tracking messages with QR codes when they imitate real delivery services. In the cryptocurrency space, QR codes are used to help mobile devices locate virtual wallet addresses to transfer bitcoins or other cryptocurrencies. However, criminals were quick to notice a simple loophole that can prove extremely costly for the victim. Because almost anyone can create a QR code, you may need to send money to a hacker's wallet instead of your intended one; and due to the difficulty of distinguishing one QR code from another, the victim is no wiser. In fact, a network of Bitcoin QR code generators has stolen thousands of victims over the past year. Inserting malicious content into a QR code can be accomplished with little effort, and with the widespread use of this technology, hackers have many opportunities to tailor their own codes to existing codes without being detected.
QR codes and workplace
Due to the current global situation, many people are working remotely and turning their personal devices into work devices to stay productive outside of the office environment. However, this poses a significant problem for the overall security of the company's infrastructure and the sensitive content that resides within these four walls. An employee could inadvertently scan a malicious QR code, log in with her credentials, and allow a hacker to harvest login information or install software that can spy on or steal sensitive assets. Due to the popularity of QR codes around the world and across all industries, businesses using this technology need to be on high alert for potential scams. As mentioned above, QR code campaigns mirror those of phishing schemes and should be viewed the same way. When using a mobile device, most users are not careful and there is the added difficulty of not being able to detect telltale signs of a phishing threat due to the small nature of the device.
How to prevent cyberattacks with QR codes
First, increased user awareness could drastically reduce the number of malicious QR code attacks. When scanning a code via a mobile device, users must verify the URL link in the notification before continuing to click. If it looks suspicious and doesn't look as expected, users can use the same level of caution as with email phishing and exit the app. But, since attackers can create virtually any URL to fit a QR code and vice versa, spotting the fake from the real thing can be extremely difficult, and can ensnare even the most skilled professionals. Therefore, the implementation of Mobile Threat Defense must be applied on all endpoints to prevent users from interacting with malicious websites, applications or networks. Businesses wouldn't run a desktop or laptop without proper security; therefore, mobile devices should receive the same level of attention, especially as people continue to operate outside of the traditional security perimeter. As we continue to work remotely, mobile devices have also become the tools we use to stay productive, and because of their personal aspect, they are a prime target for mobile scams. Threats from QR codes will continue to be a constant problem as mobile device adoption increases and people converge their work and personal devices.