Are QR Codes Safe
Rapid digitisation has paved our lives to a greater extent- primarily for good but occasionally harmful if you take its nitty gritty for granted. Take the example of QR codes, which have become an essential part of our daily contactless transactions, especially after the COVID-19 pandemic. Businesses of various forms and governments have encouraged buyers to embrace paying through QR codes to make everyday transactions effortless.
QR codes can be malicious too
The ease of transactions through mere scanning truly makes QR codes great. But like other popular technologies, bad actors have devised several measures to lure innocent individuals and enterprise employees for their benefit.
We will unfold the possible dangers of QR code scanning and measures to eliminate it. But both of these would be easy to understand if you have an overview of how QR code technology works. So let’s start with the key fundamentals of QR code technology.
Read More: Everything You Should Know About Phishing
Demystifying the fuss around QR codes
QR code is an advanced level of code scanning technology compared to barcodes. In a series of black pixels in a square-shaped grid, QR codes can hold numeric, alphanumeric, binary, and kanji, the logographic “Han” characters widely popular in China and Japan.
A QR code can archive 7,089 numeric, 4,296 alphanumeric characters, and 2,953 bytes in the ISO-8859 character set. The prime reason for adding Kanji data storage to QR codes is that it was primarily invented by Japanese manufacturer Denso Wave. And since its inception, QR codes have helped various supply chain businesses worldwide.
The core advantage of a QR code over a barcode is that it can be scanned even after 30 per cent of the code gets damaged. In contrast, a barcode turns unreadable if it loses a fraction of the actual code.
How a lousy actor abuses a QR code
The vulnerability of a QR code lies in its core fundamentals. The code simplifies any task, such as archiving an URL, to ensure the user doesn’t have to type it on their device to visit it. What if the website where a QR code is stored is malicious? And that is what a malicious QR code does.
They often encode a malicious URL or payload into the QR code via widely available encoder tools, take a printout of the code on adhesive paper, and stick it over a legitimate one such as an online shopping site, bank, restaurant menu, advertisement, noticeboard, etc. Then, the device will automatically head to the malicious link and boom whenever someone scans the code. And because no QR codes are left unreadable, anyone can fall into the set trap.
Some QR code services, such as online shopping sites or banks, require you to log in with your email and password. Once someone scans such QR, a legitimate-looking malicious site will open and snitch personal information, money, or both.
Some QR code services, such as online shopping sites or banks, require you to log in with your email and password. Once someone scans such a QR, a legitimate-looking malicious site will open and snitch personal information, money, or both.
Malicious QR codes are also commonly used to retrieve the victim’s approximate location to violate their location privacy later.
Sometimes bad actors use QR codes to retrieve personal information such as phone numbers and later use it to get other relevant information such as names, social media profiles, and additional publicly available information.
Even though sticking malicious QR codes over legitimate ones is the most popular vector among the baddies, some prefer sending malicious QR codes through email as a foolproof phishing scam. Since the evil part of the email masquerades in a QR code format instead of links, it often befools many advanced email security tools. Phishing through emails consisting of malicious QR codes is called QRishing.
Noteworthy QR code phishing events
Even though QR code phishing is much more sophisticated and has a higher success rate, bad actors seldom use the technique in extensive campaigns. But the sophistication of this method and the increasing acceptance of QR codes among the masses indicate such activities will become more prevalent.
By the end of 2021, a QRishing scam campaign had been triggered, eyeing users of two Germany-based banks. The threat actor composed phishing emails prompting data privacy changes at the concerned banks and embedded a malicious QR code. When someone scans the QR code, the device browser will automatically head to a clone site of the respected bank and prompt them to log in with a banking user ID and password. Whoever fell victim to the set trap had their bank account emptied.
In the same year, bad actors compromised the Office 365 account of an enterprise employee. They sent emails to other fellow employees, embedding a voice note. The voice note instructed the recipient to scan a malicious QR code heading to a fake Office 365 login page. The victim is duped once they log in with their credentials.
Alongside bulk QRishing campaigns, threat actors also trigger several other techniques for luring individuals, such as instructing them to scan a QR code to receive payment. The method of scanning QR codes for payment, which is the exact opposite of the actual process, has become so widespread that Indian banks such as the State Bank of India have alerted the public via a mass social media campaign. We covered the topic recently in a blog. You can read it here.
Tips to stay safe
With the rising adoption of online transactions, QR phishing and related scams are rising at an astounding rate. And we expect bad actors to develop more innovative and sophisticated tricks to abuse QR codes. Of course, adopting an advanced cybersecurity suite like K7 Mobile Security would thwart most of the incoming attacks. Still, silly human errors could make them fall prey to such prevalent attacks. Therefore, we recommend measures to embrace and deflect such potential security threats to be safe.
- Check the authenticity of the QR code before scanning. Scammers frequently use popular events or trends to set traps and make money. Always carefully examine any QR code before scanning it to ensure there is no sticker over the top of the authentic side. Stay away from scanning any random QR code unless you need it.
- Always have trusted and sophisticated mobile security software such as K7 mobile security, which can alert you before navigating a malicious site.
- Enabling two-factor authentication can save you from many ongoing scams. A 2FA adds an extra layer of authentication to your account, preventing unauthorised access.
- Employers should initiate awareness programmes to teach how to avoid new attack methods, such as QR code phishing, among other prevalent cyberattack tactics.