Article Read Time
Encountering a QR code is unavoidable in our daily lives. Whether shopping, dining out, or watching TV, we frequently come across these perplexing collections of black-and-white checkerboards that can pose a significant threat if not handled properly.
QR codes have quickly established a reputation as a fast, convenient way to obtain information or complete tasks on our smartphones, while being sanitary and allowing businesses to print fewer paper menus or flyers.
Before pulling out your phone and snapping a photo, be aware that these seemingly innocuous QR codes can also be used for purposes you aren’t anticipating. Cyber criminals and unscrupulous marketers can use them to steal your money, identity, or other data. The term in the cyber security industry for attacks that leverage QR codes as a means of delivery is “quishing.” Although this may sound cute, these intrusions have quite dangerous intentions.
QR Code 411
QR stands for “quick response” and is an advanced type of barcode that uses a square pattern of smaller black-and-white squares representing numbers, letters, or symbols that can be scanned into a computer system.
A recent addition to marketing QR codes dates back to the 1990s. They were invented by Denso Wave, a subsidiary of Toyota Motor Corporation, for inventory control of parts during the assembly process.
The larger black and white squares in just three corners of a QR code allow a scanning device to determine the code’s orientation, regardless of its direction.
QR Code Dangers
Much of the danger stems from the fact that these codes can contain large amounts of potentially harmful data that are not visible to the human eye.
Any halfway-competent hacker knows that the most effective attacks use social engineering. Or, more bluntly, cyber criminals prey on our assumptions or habits. We’ve gotten used to scanning QR codes to make transactions and quickly get information. Still, this convenience can come at a cost.
It’s easy and cheap (free) to generate QR codes, and cyber criminals know they can use them to do any of the following:
Spoof a Web Sage – After scanning the QR code, your browser opens a fake web page that appears to be a legitimate business, such as a bank or e-commerce site, prompting you to provide login credentials or payment data. It is also possible that this site contains malware.
Installing a dangerous app – You will be directed to an app in the Apple App Store or Google Play Store and allowed to download it to your mobile device. These apps may contain malware that installs additional programs or collects and shares sensitive information from your mobile device. Information like your name, phone number, email address, credit card numbers, and login information.
Automatically download content – This can include photos, PDFs, documents, or even malware, ransomware, and spyware.
Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. From there, a hacker can monitor and capture information transmitted over the network in what’s referred to as a “man-in-the-middle attack.”
Make a phone call – An official-looking notification will prompt you to call the number encoded in the QR code. Claiming to be a legitimate business, they will then request personal or financial information and/or add you to a list to be spammed later.
Compose an email or text – An email or text message is prepopulated with the message and recipient that the QR creator has programmed. Once sent, your email address or phone number can be added to a spam list or targeted for phishing attacks.
Trigger a digital payment – QR codes can be used to process payments via PayPal, Venmo, or other methods. This one may seem easy to spot, but what if the QR code was placed on a parking meter with a message to scan to submit payment for when your automobile occupies the spot?
This poses a risk to legitimate business use. Once your QR code is in the wild, there is nothing to stop criminals from placing a sticker over your code with the one they created. Who do you think your customers will blame, the faceless cyber criminal or you?
FBI: Cybe rcriminals Tampering with QR Codes to Steal Victim Funds
Five ways to defend against a quishing attack:
- If you receive an email or text containing a QR code from a reputable source, verify its legitimacy by responding via another channel, such as messaging on another platform or making a phone call.
- Determine whether there is an alternative way to obtain the information you seek, such as navigating to the business’s public website or requesting a paper menu.
- Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
- Don’t jailbreak your device. This will bypass the restrictions and security measures intentionally placed on your device by the manufacturer, exposing it to malware and other risks.
- Ensure you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites, and risky network connections.
At Commonwealth Sentinel, we can help keep you and your organization safe from malicious QR codes through technological, training, and policy solutions. Contact us today at 502-320-9885 for more information.
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things.