Security for everyone
For Companies
For Home Users

QR Code Cyber Attacks: the Growing Risk

SecurityForEveryone

Security for Everyone

02/Jul/22

The use of mobile quick-response (QR) codes in everyday life, for both professional and personal purposes, is continuing to increase—but most individuals are unaware that these handy mobile shortcuts can expose them to clever cyberattacks.

QR codes aren't just cost-effective and simple to use. They're also essential, especially during a pandemic where contactless transactions have become the norm. QR codes' popularity has been revived due to the pandemic, making them a tempting target for cybercriminals.

 

What is QR code?

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants. It stores data as a series of pixels in a square grid and is mainly used to track details of a particular product in a supply chain. 

QR codes – the "QR" is short for "quick response" – allow users to scan a unique code with their phone's camera to act automatically. 

These mobile shortcuts can be used by malicious applications to perform a variety of mobile activities, including drafting emails, placing calls, opening marketing collateral, opening a location on a map and automatically starting navigation, opening a Facebook, Twitter, or LinkedIn profile page, or starting any action from any app (such as opening PayPal with a pre-seeded payment handle).

Consumer-based QR codes have many significant security concerns for corporate systems and data. Cybercriminals frequently use QR codes to gain unauthorized access to targeted devices and expropriate sensitive financial data.

 

Simple to Use yet Easy to Attack

Marketers began to embrace QR codes as a unique platform for interaction, and they eventually abandoned their adoration for quick-response (QR) codes. When the low-touch economy started to take shape during the pandemics, it was a requirement to use this technology. They are used for everything from viewing restaurant menus to accessing the information on pieces of mail and even checking into COVID-19 testing and vaccination appointments.

Furthermore, because more workers are using their company-issued devices for personal use, it offers cybercriminals a brand new attack surface.

During the pandemic, the convenience and accessibility of two-dimensional barcodes have enabled more and more firms to use them as part of their business procedures.

According to Juniper Research, over 1.5 billion people have utilized them worldwide, and cybercriminals are already taking advantage of this trend.

The fact is that many of us are curious people who may be tempted to scan a QR code to find out what it's all about. People wonder if it will bring them to a website, a coupon, or a code for a free product. But, unfortunately, most people are unaware that their actions might have significant consequences, such as installing malware on either their business-owned or personal devices.

As QR codes become increasingly popular, cybercriminals will undoubtedly employ them to break into devices and steal corporate information.

The QR code is now being utilized by hackers in a new and sophisticated way, utilizing it as a vector for cyberattacks. In January 2022, the FBI issued a warning about cybercriminals using deviously manufactured QR codes to steal people's credentials and financial information.

 

The Risks of QR Codes

You'd need some serious hacking expertise to modify the pixelated dots in a code's matrix. Hackers have figured out a far easier method instead. This involves embedding malicious software in QR codes (which can be generated by free tools widely available on the internet). These codes all look the same to an average user, but a malicious QR code can direct a user to a fake website. This type of malware might also capture personal data or install harmful programs on a smartphone that then executes commands like these:

Add a contact listing: Hackers can add a new contact listing on the user's phone and use it to launch a spear phishing or other personalized attack.

Initiate a phone call: This type of exploit can expose the phone number to a bad actor by triggering a call to the scammer.

Text someone: In addition to sending a text message to a malicious recipient, a user's contacts could also receive a malicious text from a scammer.

Write an email: Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user's work email if the device lacks mobile threat protection.

Make a payment: If the QR code is malicious, it could allow hackers to automatically send a payment to a destination where it cannot be recovered and capture the user's personal financial data. 

Reveal the user's location: Malicious software can silently track the user's geolocation and send this data to an app or website.

Follow social-media accounts: The user's social media accounts can be directed to follow a malicious account, which can then expose the user's personal information and contacts.

Add a preferred Wi-Fi network: A compromised network can be added to the device's preferred network list and include a credential that automatically connects the device to that network.

 

Types of QR Code Attacks  

1. Quishing: In a Quishing attack, threat actors send a phishing email containing a malicious QR code attachment. Once the user scans the QR code, it will direct the user to a phishing page that captures sensitive data like users' login credentials. Attackers may use a popular website's fake version and prompt users to enter their login details.

2. QRLjacking: Most organizations use Quick Response Code Login (QRL) as an alternative to password-based authentication procedures. A QRL allows users to log in to their accounts by scanning a QR code encrypted with the user's login credentials.

QRLJacking is like a social engineering attack capable of session hijacking affecting all accounts that rely on the Login with the QR code feature. In a QRLjacking attack, threat actors trick unwitting users into scanning a specially crafted QRL rather than the legitimate one. Once the victim scans the malicious QRL, the device gets compromised, allowing the attacker to control the device completely.

Attackers use every trick in the book by leaving codes on walls, buildings, and even computer screens that direct users to a malicious site. It could be as simple as placing a sticker on a bus stop advising passengers to scan so they can download an urgent government app update.

Additionally, threat actors leverage "honeypot" techniques such as enticing users with a free Wi-Fi network that scans the QR Code. Bad actors also replace QR codes in public places with malicious ones that redirect users to phishing sites. This happens in parking garages and outdoor dining establishments. The malicious QR codes can connect the victim's device to a malicious network to reveal the user's location and initiate fraudulent payments. Most fraudulent QR codes can easily evade traditional security detections that only scan the email/site content rather than suspicious barcodes. This method enables attackers to silently steal data such as stored banking and credit card information. 

 

How to Prevent QR Code Attacks  

Avoiding QR code scans may be hard, but taking some proactive measures can help you minimize the dangers associated with QR code technology.

  • Do not scan a randomly found QR code.
  • Do not log in to an application or service via a QR code.
  • Remember, there is no need to scan a QR code to receive money. So, never believe it when someone encourages you to do so.
  • Never initiate the payment, if you get a notification to put any sensitive information when you scan a QR code.
  • Avoid scanning random QR codes from suspicious or unknown sources.
  • Do not scan QR codes received via emails from unknown sources. 
  • Ensure the QR is original and not pasted over with another one.
  • Use QR scanner software to view the URL before clicking on it.
  • Be suspicious if a password or login information is requested after scanning a QR code.
  • Ask a staff member to verify its legitimacy first. For example, the business might simply have updated what its original QR code was.
  • Check the URL of a bit.ly link that appears after scanning a QR code. These links are often used to disguise malicious URLs, but they can be safely previewed by adding a plus symbol ("+") at the end of the URL.
  • Home users should ensure that they install security updates to their devices as soon as they become available rather than selecting ignore or remind me later (you know who you are).

 

What Companies Can Do

The three main obstacles for business owners and IT administrators are: first, they must check their sites and apps for integrity regularly, ensure that their QR codes haven't been hacked, and constantly present the correct information and connections. Furthermore, every business device should have multi-factor authentication and a strong mobile security solution that automatically blocks phishing attempts, phone takeovers, and unauthorized downloads. Finally, all employers must provide their staff with training and awareness of cybersecurity best practices.

Remove any employee access to company and cloud applications, which is one of the most common causes of data breaches today. Shifting to passwordless multi-factor authentication eliminates the risk of stolen passwords and removes the trouble of keeping track of them.

Employees must have awareness training to spot the symptoms of a phishing or social engineering assault. It's also critical for businesses to employ a comprehensive, layered security approach. This layered strategy should include real-time detection of zero-day and unique phishing threats. In addition, you can reduce the effect of when a harmful email surpasses our defenses by adding real-time detection and automated restoration capabilities to promptly identify and eliminate threats.

 

SOURCES:

https://cybermagazine.com/cyber-security/the-rising-threat-of-qr-code-attacks

https://threatpost.com/qr-codes-sneaky-security-threat/159757/

https://threatpost.com/qr-codes-menu-security-concerns/159275/

https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/

https://www.infoguardsecurity.com/how-cybercriminals-exploit-qr-codes/

https://www.helpnetsecurity.com/2022/02/16/qr-code-phishing/

https://blog.techguard.com/four-risks-and-solutions-when-using-qr-codes

https://cybernews.com/security/how-cybercriminals-are-taking-advantage-of-qr-codes/

https://cisomag.eccouncil.org/how-cybercriminals-exploit-qr-codes-to-their-advantage/

 

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture