Cybersecurity Snapshots #21 - Do You Know Where Your QR Code Is Taking You?

Cybersecurity Snapshots #21 -

Do You Know Where Your QR Code Is Taking You?

For some time, QR codes were mainly used in industrial environments to help keep track of inventory and production. They later gained popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people could not tell from a QR code where scanning would lead them, so they got cautious, and QR codes started to disappear. Then the coronavirus came, and now QR codes are being used more than ever by the public. When a user scans a QR code, these shortcuts usually open a website, but they can be programmed to perform any number of mobile actions, including drafting emails, placing calls, opening marketing collateral, opening a location on a map and automatically starting navigation, opening a Facebook, Twitter or LinkedIn profile page, or starting any action from any app (such as opening PayPal with a pre-seeded payment handle). Because QR codes are being used more often again, scammers are starting to target people using QR codes.

The easiest QR code scam for adversaries to pull off is clickjacking. Some people get paid to lure others into clicking on a specific link. Researchers have seen adversaries replace QR codes on famous monuments, where people expect to find background information about the landmark by following the link in the QR code. The original QR code is replaced with a QR code that takes the user to an unintended site, allowing the clickjacking operator to get paid a fee.

Another scam being seen by researchers is a small advance payment scam. For some services, it is accepted as normal to make an advance payment before using that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can also just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. For example, if someone is expecting to log in to start a payment procedure or to get access to a particular service, the scammers may place a QR code there. Researchers at Proofpoint found phishing emails equipped with fraudulent QR codes. One of the phishing emails instructed the receiver to install the “security app” from their bank to avoid their account being locked down. However, when the QR code was scanned, it took the user to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still, some people fell for it. Researchers have also seen redirect payment scams in the wild. One was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment.

According to a new survey of 2100 consumers across the U.S. and the U.K., researchers at MobileIron found that 71% of survey respondents said they could not distinguish between a legitimate and malicious QR code. More than half (51%) of respondents in the survey said they don’t have (or don’t know if they have) security software installed on their mobile devices. While 67% of participants in the survey are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email, 20% believe scanning a QR code can start a phone call, and 24% believe scanning a QR code can initiate a text message. More than a quarter (35%) of the participants said they don’t know whether hackers can even target victims using a QR code. The researchers stated that QR codes are an area of security that deserves more focus because more than half (53%) of the participants said they would like to see QR codes used more broadly in the future. Almost half (40%) of participants stated they would even be open to voting for president using QR codes.

Since more and more users are using QR codes, it is important for users to be more vigilant. Researchers suggest that users of QR codes should not trust emails from unknown senders and should never scan a QR code embedded in an email. The researchers also suggest that users should check to see whether a different QR code sticker was pasted over the original and if so, should not scan it. The researchers also suggest that users use a QR scanner that checks or displays the URL before it follows the link, and they further suggest that users use a scam blocker or web filter on their device to protect them against known scams.