Encountering a QR code is unavoidable in our daily lives. Whether shopping, dining out, or watching TV, we frequently come across these perplexing collections of black-and-white checkerboards that can pose a significant threat if not handled properly.
QR codes have quickly established a reputation for being a fast and convenient way of obtaining information or completing tasks via our smartphones while being sanitary and allowing businesses to print fewer paper menus or flyers.
Before pulling out your phone and snapping a photo, be aware that these seemingly innocuous QR codes can also be used for purposes you aren’t anticipating. Cyber criminals and unscrupulous marketers can use them to steal your money, identity, or other data. The term in the cyber security industry for attacks that leverage QR codes as a means of delivery is “quishing.” Although this may sound cute, these intrusions’ intentions are quite dangerous.
QR Code 411
QR stands for “quick response” and is an advanced type of bar code that utilizes a square pattern containing even smaller black and white squares representing numbers, letters, or scripts that can be scanned into a computer system.
A recent addition in marketing QR codes dates back to the 1990s. They were invented by Denso Wave, a subsidiary of Toyota Motor Corporation, for inventory control of parts during the assembly process.
The larger black and white squares in just three corners of a QR code allow a scanning device to determine the code’s orientation, regardless of its direction.
QR Code Dangers
Much of the danger stems from the fact that these codes can contain a large amount of potentially harmful data that is not visible to the human eye.
Any halfway-competent hacker knows that the most effective attacks use social engineering. Or, more bluntly, cyber criminals prey upon our assumptions or habits. We’ve gotten used to scanning QR codes to make a transaction to get information quickly. Still, this convenience can come at a cost.
It’s easy and cheap (free) to generate QR codes, and cyber criminals know they can use them to do any of the following:
Spoof a Web Sage – After scanning the QR code, your browser will open a fake web page that appears to be a legitimate business, such as a bank or e-commerce site, where you are requested to provide login credentials or payment data. It is also possible that this site contains malware.
Installing a dangerous app – You will be directed to an app on the Apple App or Google Play Store and allowed to download the app to your mobile device. These apps can contain malware that installs additional programs or may collect and share sensitive information from your mobile device. Information like your name, phone number, email address, credit card numbers, and login information.
Automatically download content – This can include photos, PDFs, documents, or even malware, ransomware, and spyware.
Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. From there, a hacker can monitor and capture information transmitted over the network in what’s referred to as a “man-in-the-middle attack.”
Make a phone call – An official-looking notification will entice you to call the number programmed into the QR code. Claiming to be a legitimate business, they will then request personal or financial information and/or add you to a list to be spammed later.
Compose an email or text – An email or text message is prepopulated with the message and recipient that the QR creator has programmed. Once sent, your email address or phone number can be added to a spam list or targeted for phishing attacks.
Trigger a digital payment – QR codes may be used to process payments through PayPal, Venmo, or other means. This one may seem easy to spot, but what if the QR code was placed on a parking meter with a message to scan to submit payment for when your automobile occupies the spot?
This creates danger for legitimate business use. Once your QR code is in the wild, there is nothing to stop criminals from placing a sticker over your code with the one they created. Who do you think your customers will blame, the faceless cyber criminal or you?
Five ways to defend against a quishing attack:
- If you receive an email or text containing a QR code from a reputable source, verify that it is legitimate by responding through a different means, like sending a message through another platform or making a phone call.
- Determine if there is an alternate way of obtaining the information you seek, such as navigating to the business’ public website or requesting a paper menu.
- Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
- Don’t jailbreak your device. This will bypass the restrictions and security intentionally placed on your device by the manufacturer and expose it to malware and other risks.
- Ensure you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites, and risky network connections.
At Commonwealth Sentinel, we can help keep you and your organization safe from malicious QR codes through technological, training, and policy solutions. Contact us today at 502-320-9885 for more information.