QR codes abused for Qshing attacks As the popularity and trust of QR codes increase, so do the risks By Rebecca Taylor, Incident Command Knowledge Manager at Secureworks
A
lmost two decades after they were developed, the pandemic saved the Quick Response (QR) code from extinction. They have consequently expanded far beyond their original scope and while many uses are legitimate, threat actors are now leveraging the technology for malicious purposes. Invented in 1994, QR codes originally provided quick tracking information for car parts. This technology was adopted by other businesses and upgraded to facilitate access to websites and other information. In 2022, QR codes are used for tasks such as facilitating payments, downloading applications, distributing documents, and confirming event tickets. They even support security mechanisms, including the deployment of multi-factor authentication. The COVID-19 pandemic prompted widespread use of QR codes to report test results and confirm vaccination status. The technology’s popularity was confirmed by the unprecedented scanning of Coinbase’s advertisement during the 2022 Super Bowl. This evolution has persuaded users that QR code mechanisms can be trusted. However, threat actors are exploiting this trust to collect sensitive information or to deploy malware.
How are QR codes exploited? QR codes leverage mobile device cameras or scanners to read a matrix barcode. The device then translates the barcode into an action, such as a redirection to a social media site. While QR codes cannot be directly compromised, it is possible to substitute a QR code with another, abuse them to distribute malicious software, or redirect victims to a malicious website.
18 | Australian Cyber Security Magazine
Attacks that exploit QR codes are known as ‘Qshing’ (QR code phishing). In January 2022, the U.S. Federal Bureau of Investigation (FBI) warned QR code users about tampering and cited increased reports of stolen credentials and monetary loss. In March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a Qshing campaign that leverages a fake password reset page to steal credentials.
Do not fall victim to Qshing While there is no conclusive way to verify the legitimacy of a QR code other than opening it or using a QR code scanner app, we recommend that you consider the following steps when engaging with a QR code: 1. Utilise a security app on your mobile device. Many reputable vendors offer apps that provide antivirus detection and other security protections for mobile devices. Some of these apps include QR scanners. Scanning a QR code via the security app could intercept malicious QR codes or suspicious traits, adding another layer of protection. 2. Evaluate the QR code’s credibility. Does the QR code’s context and messaging seem appropriate for the setting? For example, a restaurant offering its menu via QR code is reasonable. However, users should be wary if scanning a QR code leads to prompts for information that doesn’t seem relevant (e.g., a game that requires personally identifiable information (PII), a request for credentials to access a bus schedule). If the QR code seems suspicious, you can try to verify its credibility by contacting the organisation or individual who issued it. In addition, it is important to evaluate the potential risks associated with sharing requested information. 3. Use the direct route. QR codes are often used to provide direct access to a website or application download. It is safer to visit
a website via a confirmed URL in a web browser and to download applications from the official app store. Similarly, we strongly recommend directly interacting with a bank or service provider (e.g., vendors such as utility companies, trusted financial apps such as PayPal or Venmo) rather than making payments or financial transactions through a site navigated to by a QR code. 4. Protect QR codes that provide access to PII. QR codes that link to sensitive data such as health information are tied specifically to an individual. Users should never share these QR codes with someone they do not trust. Additionally, it is not advisable to take a screenshot and publicly share these QR codes with others on social media platforms, as someone could be impersonated and could access private information. 5. Verify the QR code destination. The QR code itself may not be malicious, but it could redirect the user to malicious content. It is best to evaluate the authenticity and security of the content by considering factors such as URL validity, encryption status and page formatting. If something does not feel right, step away. 6. Minimise impact. If a user scans a QR code and navigates to a website or application that appears malicious or untrustworthy, then it is advisable to close the page or application, clear the cookies and site cache from the web browser, and delete the page or application from your browser history. If a user provided credentials or financial information, they should escalate the incident with the appropriate organisation and change their password. Mobile devices are typically harder to exploit without user interaction, but the expanded use of QR codes may lower users’ defences. Assessing the legitimacy of a QR code could avoid an expensive, stressful, time-consuming, or damaging mistake. Vigilance is key.
