QR codes are a common sight on everything from restaurant menus to billboards, but these seemingly benign codes can pose a serious threat to enterprise mobile device security.
Over the past few years, scanning a quick response code (QR code) has become a popular way to access paperless menus, carry out contactless transactions and more. Because of their convenience and growing ubiquity, however, QR codes are also a popular target for hackers seeking new ways to spread malware and steal information. Organizations should learn the different threats that may appear under the guise of a convenient QR code — and how to avoid them.
What are QR codes?
People sometimes describe QR codes as 3D barcodes. They consist of a series of squares arranged into a much larger square, and function similarly to a barcode. While a barcode can normally only represent short alphanumeric strings, a QR code is able to store larger amounts of data.
QR codes are often used for advertising because they can store long strings of data, which makes them perfect for storing URLs. This capability has proven to be especially useful given the fact that smartphone use is so widespread, and they can act as QR code scanners. Practically anyone can scan a QR code and be taken directly to the corresponding website without the hassle of having to manually type out the site’s address. As a result, advertisers prominently display QR codes on billboards, in magazines, on tradeshow booths and just about anywhere else where a QR code is likely to attract attention.
QR codes also help organizations measure the effectiveness of their different advertising campaigns. If a company purchases ad space in a variety of locations, it can use a different QR code for each location, with each QR code pointing to a unique URL. This allows the company to determine which codes people scanned to arrive at the advertised website. By tracking the scans, the company can determine which advertisements elicit the most interest from people.
It isn’t just advertisers that take advantage of this. In fact, QR codes have become a prominent trend in many other sectors in recent years. Since the onset of the COVID-19 pandemic, many restaurants have done away with traditional menus. Instead, such locations may post QR codes on tables or in other conspicuous locations. Patrons can scan these codes to view the menu on their mobile devices.
QR codes may also be making their way into books. There have been a few publishers experimenting with the idea of including QR codes on certain pages. If readers want more information on a topic relevant to a certain page, a QR code can take them to a news article, YouTube video or other resources.
QR code security issues
Although QR codes have numerous useful applications, bad actors can also use them for malicious purposes. In January 2022, the FBI released a warning that cybercriminals may tamper with QR codes to direct victims to malicious websites. Scammers often look to the latest trends for new cybercrime tactics.
There are two main types of QR code exploits that cybercriminals use. The first is a QR code-based phishing attack, which is sometimes called quishing. This attack uses a QR code to lure a victim to a phishing page that hackers have designed to steal the victim’s credentials, personal data or other sensitive information.
The other main type of QR code attack is sometimes called QRLjacking. In this type of attack, hackers use a QR code to spread malware to the victim’s device. The attacker tricks the user into scanning a QR code that directs the user’s device to a malicious URL, which infects the device with malware.
Besides these two basic types of attacks, QR codes can launch other types of actions at the device level. For example, a hacker might use a QR code to automatically place a phone call or send a text message from the device that scanned the code. Under the right circumstances, hackers can even use QR codes to initiate a payment from the user’s device or force the device to join a certain Wi-Fi network.
Why QR code exploits work
In the past, if cybercriminals wanted to launch a phishing scam or lure potential victims to a malicious website, they would typically resort to using email. The problem with this approach, at least from the criminal’s point of view, is that there are telltale signs that an email is not legitimate, such as misspellings or links to sketchy URLs. Oftentimes a phishing message will ask a victim to take actions that seem completely illogical. Some more audacious examples include demands to pay a delinquent tax debt using Apple gift cards, or messages stating that the recipient has won a nonexistent lottery and must click a link to claim their winnings.
Even when a phishing message is more convincing, there are always indicators that the message is illegitimate. Anyone who knows what to look for and who takes the time to scrutinize such a message will have no trouble determining that the message is fake.
This is not the case for QR codes. People can read a phishing email to vet it for suspicious elements, but QR codes present no such opportunity. When a person scans a QR code, they have no way of knowing ahead of time whether the code is legitimate. That’s what makes QR code-based attacks so devastating. The basic elements of the attack are no different than an attack that hackers spread via email. Because the victim cannot assess the validity of a QR code, however, a QR code-based attack is more likely to succeed than an email-based attack.
Another problem with QR codes is that hackers can easily replace a legitimate QR code with a malicious one. For example, if a restaurant provides QR codes that link to its menus, an attacker could simply create stickers containing malicious QR codes and then place those stickers on top of the legitimate QR codes. There have also been incidents in which hackers have replaced a legitimate QR code in an email message with a malicious one. There are even incidents in which random QR codes are placed in public places on the off chance that someone will become curious enough to scan the code.
How organizations can protect against the dangers of QR codes
There are three things that organizations must do to protect users against QR code-based attacks. Consider the following steps to avoid the potential consequences of a fraudulent QR code:
- Make sure that users are running security software on any mobile device that has access to corporate resources. The software should be able to protect against device takeover attacks, phishing attacks and other mobile device exploits.
- Educate users on the cybersecurity dangers associated with scanning QR codes. Otherwise, users may not realize that QR codes can be problematic.
- Implement multifactor authentication (MFA) requirements across the organization as an interim, and then gradually work on adopting an authentication solution that does not rely on passwords. Many QR code-based attacks are designed to trick users into entering their passwords so that cybercriminals can steal their credentials. Working towards the elimination of passwords can help to thwart these types of attacks.