Threats uncovered: QR code exploits offer personal and business risks

QR codes massively increased in popularity when the pandemic arrived, offering a safe, touch-free way to interact with the world around us.

Everywhere from restaurants to the doctor’s office has a QR code to scan now. But, as they quickly integrated into our lives, we forgot to take a moment to ensure a little common sense around their use.

Cyber attackers have quickly caught onto QR codes as a social vulnerability and attacks using them as the vector are on the rise. Case in point; in January 2022, the FBI issued a warning that cyber attackers were tampering with legitimate QR codes to redirect victims to malicious sites which steal login and financial information. Within weeks of the warning, during the biggest football game of the year, more than 20 million people scanned a single mysterious QR code in an advert for an unnamed company in just 60 seconds.

QR code threats uncovered

It’s clear we intuitively trust QR codes, even though this trust is poorly founded. To get a clearer picture of exactly how QR codes could present a threat, I did some digging. Through research, I discovered a variety of ways QR codes can be used maliciously, to steal not only personal information but provide a solid base of information from which to attack an organisation.

It proved easy to turn a QR code into a basic phishing attack, especially when levels of trust in QR codes are so high and people willingly hand their information over. A sign-up sheet at a job fair or a survey might seem like legitimate reasons to part with your personal data, but rather they can send your data straight to an attacker. For malicious actors, that’s the jackpot.

More seriously, a QR code could send a user to a spoofed version of their mobile app store. Through this attack, access to a user’s phone can be gained and, therefore, all of their personal (or company confidential) messages can be accessed, alongside their GPS location, and even their camera. This would offer a serious threat to any business, risking company data and leaving them open to a devastating attack.

A popular attack vector worldwide

QR code attacks are already in play across the world. Fake parking tickets with QR codes for easy payment have popped up in China, while in the Netherlands a legitimate banking app was taken advantage of to attack customers. Anything featuring a normal-seeming route to payment details has proven popular, with the trend continuing in Germany where eBanking customers received spoof emails containing a QR code linking to a malicious site.

As this kind of attack becomes more prevalent, it’s important awareness is raised to help prevent the public from continuing to fall for these malicious scams.

7 steps to QR code vigilance

So, what’s the best way to protect against these attacks?

1. If it feels off, avoid it altogether – any trustworthy QR code should have the URL accompanying it, so you can head to the site directly without needing to scan at all.

2. Take a second to question the circumstances before you scan – do you know who put the QR code there? Can you trust it hasn’t been tampered with? Slow down before you scan.

3. Examine code URLs – check out the URL you’re being sent to before going ahead. Leave it if it seems suspicious, is misspelled, or doesn’t align with the organisation you’re trying to access.

4. Keep a keen eye for physical tampering – an easy way for an attacker to gain your trust is to dupe legitimate QR code uses. For example, an easily applied sticker on a restaurant menu.

5. Stick to the beaten path – when it comes to downloading apps, head straight to your official app store. It’s easy for threat actors to create a false app store, leading to you downloading something malicious instead.

6. Avoid payment via QR codes – use the (safely downloaded) native app or search online for the official site to pay.

7. Enable on multi-factor authentication (MFA) – if you inadvertently fall for an attack, MFA will prevent an attacker from accounts like your email or social media and alert you to suspicious behaviour.

As with any attack that preys on the naivety of users, the best advice is to trust your gut. We’re better at thinking twice about the slightly off-looking emails, calls, and texts we receive, aware they could have a hidden, malicious agenda. Applying this extra scrutiny to QR codes will go a long way in fighting against this threat.


About the Author

Len Noe is Threat Evangelist and White Hat Hacker at CyberArk. CyberArk is the global leader in Identity Security. Centered on privileged access management, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud workloads and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

Featured image: Pixabay