What may be lurking behind that QR code

As we go about our daily lives, whether that be shopping with the family, enjoying dinner at a restaurant, finding our gate at the airport, or even watching TV, we find ourselves more and more often encountering the QR code. These black-and-white checkerboards of sorts have gained a reputation for being a fast and convenient way of obtaining information via our smartphones while at the same time contributing to environmental conservation, as they allow businesses such as retailers and restaurants to print fewer paper menus or flyers.

But before you whip out that phone and activate your camera, you should be aware that these seemingly innocuous QR codes can also be used for purposes you aren’t anticipating. Adversaries can also abuse them to steal your money, identity, or other data.  In fact, the term in the cybersecurity industry for attacks that leverage QR codes as a means of delivery is “quishing.” Although this may sound cute, the intentions behind these intrusions are, in reality, quite sinister.

A brief history of the QR code

While it may seem like we have only been interacting with QR codes over the past several years, they were in fact invented almost 30 years ago in 1994 by a Japanese company called Denso Wave, a subsidiary of Toyota Motor Corporation, for the purposes of tracking automotive parts in the assembly process. QR stands for “quick response” and is a sophisticated type of bar code that utilizes a square pattern containing even smaller black and white squares that represent numbers, letters, or even non-Latin scripts which can be scanned into a computer system. Have you ever noticed that there are larger black and white squares in just three of the corners of a QR code? Their purpose is to allow a scanning device to determine the code’s orientation, regardless of how it may be turned.

The use of QR codes has expanded considerably since 1994. They have become a favored means for businesses to circulate marketing collateral or route prospects to web forms, and other even more creative uses have also been cultivated. Instead of printing resource-consuming user manuals, manufacturers may direct their consumers to web-hosted versions that can be reached by scanning codes printed on the packaging materials. Event venues print QR codes on tickets that can be scanned upon entry to verify validity, and museums post signs next to exhibits with QR codes for visitors to obtain more information. During the COVID-19 pandemic, the use of QR codes accelerated as organizations sought to create contactless methods of doing business.

The dangers that lie beneath

QR codes don’t appear to be going away anytime soon. The speed, and versatility they offer is hard to deny. However, any hacker worth their salt understands that the most effective attacks leverage social engineering to prey upon human assumptions or habits. We’ve become accustomed to scanning QR codes to quickly transact or to satisfy our sense of curiosity, but this convenience can come at a cost. There are several websites that make it incredibly simple and low cost (or free) for cybercriminals to generate QR codes, which they can use to do any of the following:

• Open a spoofed web page – Upon scanning the QR code, your browser will open a fake web page that appears to be a legitimate business, such as a bank or e-commerce site, where you are requested to provide login credentials or payment data, also known as a phishing attack. It is also possible that this site contains links to malware.
• Recommend an unscrupulous app – You will be directed to a particular app on the Apple App or Google Play Store and given the option to download the app to your mobile device. These apps can contain malware that installs additional programs or they may collect and share sensitive information from your mobile device with its developers and other third parties. This information could be your name, phone number, email address, photos, location, purchasing information, and browsing history,
• Automatically download content onto your devices – This may include photos, PDFs, documents, or even malware, ransomware, and spyware.
• Connect to a rogue wireless network – QR codes may contain a Wi-Fi network name (SSID), encryption (or none), and password. Once scanned, you will receive a notification banner with a link to connect to the network. From there, a hacker can monitor and capture information transmitted over the network in what’s referred to as a “man-in-the-middle attack.”
• Make a phone call – A notification will appear, confirming that you’d like to call the number programmed into the QR code. Someone will answer, claiming to be a legitimate business but then requesting personal or financial information and/or adding you to a list to be spammed later.
• Compose an email or text message – An email or text message is prepopulated with the message and recipient that the QR creator has programmed. You will then receive a notification banner confirming that you would like to send it. Once you do so, your email address or phone number may be added to a spam list or targeted for phishing attacks.
• Trigger a digital payment – QR codes may be used to process payments through PayPal, Venmo, or other means. This one may seem like an easy one to spot, but what if the QR code was placed on a parking meter with a message to scan it to submit payment for the time your automobile will be occupying the spot?

Five ways to defend against malicious QR codes

Spotting a malicious QR code may be difficult because the displayed URLs are often shortened or hosted on cloud platforms, such as Amazon Web Services (AWS). Fortunately, there are things you can do to reduce your chance of falling victim to a quishing attack:

1. Ask yourself “How certain am I of the creator of this QR code?” One that is printed on food packaging or posted on a permanently mounted sign at a train station may have a lower risk of being malicious than one that is printed on a sticker at your local brewery or on a flyer handed to you by someone you don’t know. If you receive an email or text containing a QR code from a reputable source, verify that it is legitimate by responding through a different means like sending a message through another platform or making a phone call.
2. Determine if there is an alternate way of obtaining the information you seek, such as navigating to the business’ public website or requesting a paper menu.
3. Never enter login credentials or any sensitive personal or financial information, such as credit card numbers or social security numbers, on a webpage obtained by scanning a QR code.
4. Don’t jailbreak your device. This will bypass the restrictions and security intentionally placed on your device by the manufacturer and expose it to malware and other risks.
5. Ensure that you have a mobile threat defense solution installed on your tablets and smartphones to block phishing attempts, malicious websites and risky network connections.

This topic was covered in a SecurityInfoWatch piece today.