Quick response (QR) codes can be thought of in a similar way to URL shortening services – they provide instant access to information such as websites and contact information. They can also allow users to login into a Wi-Fi network without a password. No matter if it’s contact tracing for COVID-19, bus advertisements, mobile payments, money withdrawals from ATMs, in every aspect of life in Hong Kong, the application of QR code is quite prevalent. The Hong Kong Government recently announced a QR code tree label program, whereby a label will be placed on trees at prominent locations, and citizens can learn the species, characteristics and interesting information about the particular tree once they have scanned the QR code on the label.
Wickie Fung, general manager of Hong Kong and Macau, Palo Alto Networks, said, “QR code technology is safe in itself, but as reliance on it grows, cybercriminals are taking note. These codes could offer an entryway to potential cyber-attacks because they don’t provide visibility into the webpage, application etc., behind them. Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cybercriminals with opportunities to insert themselves into the process.”
During the pandemic, Unit 42, the threat intelligence team at Palo Alto Networks, has observed cybercriminals in underground online forums discussing ways to abuse QR codes and target the everyday consumer. We also found open-source tools and video tutorials offering training on how to conduct attacks by using QR codes.
Back in 2018, Juniper Research predicted a fourfold increase in the use of QR codes by 2022, now that QR scanning functionality is built into many mobile devices’ cameras, but it’s likely the pandemic has caused another spike in use for this technology, so we need to be cautious about what we’re scanning.
How cybercriminals could exploit QR codes
There are several ways cybercriminals could leverage QR codes for their own malicious objectives. One method would be to hack into a business’s website and replace the QR code with their own. With QR codes looking so similar, a swapped code would be incredibly hard to spot. Scanning this code could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or social media accounts, for example. It could also lead users to a less legitimate app store where they might unknowingly download a malicious app containing a virus, spyware, trojan, or other types of malware, which could lead to data theft, privacy breach (GPS or contact list stolen, calls/messages being intercepted), ransomware extortion, or sometimes cryptomining.
Another cybercriminal technique is a honeypot. Threat actors could set up an unsafe Wi-Fi network promising free internet to anyone that scans their QR code. Once a device is connected, hackers can eavesdrop or intercept the data being shared and steal personally identifiable information, confidential business information, online banking credentials, and credit card information. With remote working likely to continue, it is important we are all aware of such methods and only log into secure Wi-Fi networks.
QR codes: think before you scan
How can we protect ourselves? There is no way to tell if cybercriminals are abusing a QR code to the naked eye, but there are many precautions one can take to avoid falling victim.
“Business owners and IT administrators need to carry out regular integrity checks on their sites and apps to ensure the code and link they are providing is what they intend. They can do this by regularly scanning the code to check if the link within the QR code is correct. They need to check both the web and mobile browser version, as cybercriminals have been known to only compromise the latter to reduce the chance of detection.
Employers should also provide personnel with cybersecurity training to make them aware of the risks to the organisation and themselves. These include using strong and unique passwords for both personal and work accounts, setting up multi-factor authentication, and identifying phishing emails as well as unsafe virtual environments. As many employees continue working from non-corporate environments, cyber awareness training will equip remote workforce with knowledge and awareness to make sensible decisions, preventing attackers from gaining access to any personal and corporate networks, devices, and data,” Fung added.
Users have all been taught to ‘think before we click’ on a suspicious link or email, but now it’s time to revisit this for QR codes – so think before you scan. Don’t scan a QR code if you don’t know where it will lead, and preview the website and domain name to ensure it’s where you expected to be directed to. Many secure QR code scanning apps allow users to preview websites before they visit them. Many browsers also allow users to disable automatic redirects to websites to allow individuals to check the URL domain to decide if it is trustworthy, providing extra insight before taking action.
Make sure you only download apps from trusted sources such as Apple’s App Store or Google Play Store. And continuously update all smart devices to benefit from the latest security protections.
In summary, Palo Alto Networks’ key advice is:
- Think before you scan
- Check after you scan
- Be aware and alert
As with every technology that increases in use, we’ll likely see a rise in cybercriminals’ attempts to abuse QR codes over the coming months, so it is vital to be aware of the risks to take the right precautions.
Apart from users being more self-aware, it is also a call to mobile operators to take a broader view of the issues at stake. Operators can take proactive steps to prevent their networks from being used to commit criminal activity and provide information for customers to make meaningful choices about their privacy.