A Quick Response (QR) Code is a type of barcode that contains a pattern of dots and lines. It can be scanned using a QR scanner or on a smartphone camera. Once scanned, the device converts the dots and lines within the code into numbers or a string of characters. For example, scanning a QR code with your phone might open a URL in your phone’s web browser. All QR codes have a square shape and include three square outlines in the bottom-left, top-left, and top-right corners. These square outlines define the orientation of the code.
QR codes have become very popular due to the COVID-19 pandemic. Many restaurants and bars now use QR Codes for their menus to reduce both virus transmission and the labor required to clean traditional physical menus. Other uses of QR Codes are in education for student assignments, luggage tags, the emergency contact information on the back of a medical alert bracelet, pet ID tags, and even gravestone family histories. With all these amazing benefits, have hackers found ways to co-opt this technology for malicious use?
What does this mean for an SMB?
Of course, hackers have turned QR Codes into magical hacking tools! Hackers embed malicious URLs containing malware into a QR code which, when scanned, attempts to exfiltrate your data from your compromised mobile device. Other hackers embed a malicious URL in a QR code which directs you to a phishing site, where unaware users disclose personal or financial information.
Because humans cannot read QR codes, it’s easy for attackers to alter a QR code to point to an alternative resource without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device.
A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials. QR Codes were used for mobile payments on a ride-sharing provider until hackers substituted their payment system with a fake QR Code and simply stuck it on top of the vendor’s original payment QR Code. Don’t use QR Codes for critical transactions such as receiving payments.
Once you know about these QR Code attacks you can use them carefully when dining, to check on a medical alert bracelet in an emergency, or even to find the owner of a lost pet. Follow CyberHoot’s recommendations below to reduce the likelihood of falling victim to a QR code scam.
- If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double-check to ensure the domain name is perfectly correct watching for look-alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
- If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
- If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
- If a vendor uses QR Codes for payments, kindly decline. There are enough alternative payment methods available for receiving payments that CyberHoot does not recommend using QR codes in this way. Ask for an alternative.
To learn a little more about QR Code Security, watch this short 3-minute video:
QR Codes Need a Cybersecurity Revamp