Share this article on:
Don Tan from Lookout explains how stakeholders can identify threats to QR code security.
Just like any virus, cyber criminals are constantly adapting to new environments, and over the past year we’ve seen them target Australians in a way that’s increasingly entwined with our daily lives: through the quick response (QR) codes we use to check in to venues.
QR codes have been around since 1994, initially to track vehicle parts in the manufacturing process, but truly exploded onto the scene during the COVID-19 pandemic as a way for state governments to enforce contact tracing.
Although this mandate has largely been lifted, the simplicity of scanning a barcode through our phones to access a range of services has seen their functionality expand to include paying for parking, ordering food from restaurants and interacting with advertisements on bus stops.
Within popular apps like Snapchat and WhatsApp, QR codes are used to sign into accounts, exchange contact information and make money transfers.
And in a testament to their place in the zeitgeist, of the most talked about commercials from this year’s Super Bowl was by Coinbase, involving a simple multi-coloured QR code bouncing around the screen.
We’ve embraced QR codes with open arms and outstretched phones, often without a second thought to the personally identifiable information, including our name, email address, bank details and age, we are unthinkingly handing over to unknown databases.
And naturally, this has become a veritable playground for nefarious actors.
How does a QR code scam work?
Almost all QR codes look alike, and almost no one is looking closely for signs of legitimacy.
This makes it very easy for criminals to generate tampered codes with false links that direct people to illegitimate sites, prompting them to enter login details and financial information that is sent directly to illegitimate sources.
A QR code scam can be executed as simply as someone physically placing a paper print-out of a spurious code over a real copy.
As well as draining victims’ funds, QR code scams place personal information into the hands of criminals, with scammers often adding compromised phone numbers to databases and calling people pretending to be government agencies to request further information.
So far, across the world, we have seen QR code scams play out in seemingly innocuous scenarios.
Last year in China, there were reports of scammers replacing the QR codes on bike-sharing services, a move that drained victims’ bank accounts. Tampered QR codes have also materialised in parking stations across the US and the Netherlands.
Likewise, in Canada, criminals have placed “out of order” signs on bitcoin ATMs and prompted people to instead send their funds to QR code wallets.
Indeed, the transfer of cryptocurrency between devices, which is often completed with QR codes, has opened this practice up to the antics of hackers, forming the basis of an alert by the FBI.
QR phishing is not just an effective method to attack individuals. It can also be used to steal corporate data.
For example, employees could scan a code that leads to a fake bank login page, and once their login credentials are entered, an attacker could use software that trawls the internet for other sites with that employee’s username. If this person uses the same login credentials across multiple accounts, including ones related to work, an attacker could gain access to an organisation’s infrastructure.
Australia has largely escaped a devastating breach resulting from a tampered QR code, but the Australian Competition and Consumer Commission (ACCC) has claimed more than 28 QR code scams have been reported across the country to date, with damages representing more than AU$100,000.
To minimise our chances of a large-scale QR code attack, it’s time to prepare our defences by knowing the warning signs.
How to safeguard against QR code phishing
It is helpful to think about QR codes the same way we think about other phishing tactics like email scamming and social engineering.
Everyone needs to take a moment to check the URL on notifications before clicking through to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, it is essential to exit out of the notification.
We also need to apply a degree of common sense by considering the context in which the QR code is appearing. For instance, if it features on a lone piece of paper in a public space, not noticeably tied to a reputable source, it’s less likely to be legitimate.
Organisational leaders also need to consider solutions that can protect their users and data from all internet-based attacks, regardless of where they are in the world, securing data from threats such as malicious sites, spyware, adware, ransomware, phishing attacks and botnets.
By rolling out this level of protection, users will only have access to safe content and phishing attempts will be blocked.
QR codes are one of the next frontiers of cyber crime, and as these continue to play a part in how Australians communicate, work and recreate, it’s time for us all to stop and think before we scan.
Don Tan is the senior director, Asia-Pacific and Japan, for integrated endpoint-to-cloud security leaders at Lookout.