Think before you Scan!
In a Touch-Free World, Quick Response (QR) codes are becoming more popular. QR Codes are the perfect touch-free medium, allowing people to interact with the world around them while touching only their own smartphone. QR codes — the black barcode-like squares that can point to text or a website, can be found everywhere and have become especially popular due to their ease of use. Printed on posters and signs, in retail outlets, pasted on pub walls and hotel lobbies, taped to picnic tables in beer gardens, you can find them everywhere. Many restaurants and hotels are using QR codes to display menus, or to direct people to booking pages where they can order food or reserve rooms directly online. They are also starting to be used to help with contact tracing—keeping a record of who has been where in order to identify those who may have come into contact with the virus.
On the other hand, cyber attackers taking advantage of this opportunity, have been exploiting the use of QR Codes. They are using QR codes to steal sensitive information and conduct phishing campaigns. Attackers can embed a malicious URL containing malware or one that directs to a phishing site that encourages users to divulge their credentials. QR code while being scanned by smartphone cameras to direct you to a website that may look legit, instead downloads and install malicious content on your device (without you noticing it).
In a research report released by mobile security platform provider MobileIron in September 2020 shows that nearly 75% of those surveyed can’t distinguish between a legitimate and malicious QR code. While most are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate, the report said. Alex Mosher, global vice president at MobileIron says mobile device attacks threaten both individuals and businesses. He says “A successful attack on an employee’s personal mobile device could result in that individual’s personal information being compromised or financial resources being depleted, as well as sensitive corporate data being leaked”.
A common attack has involved placing QR code embedding malicious link in public place replacing a legitimate QR code where unsuspecting users scan the code and they are sent to a malicious web page that could host an exploit kit, says Chris Sherman, senior industry analyst at Forrester Research. This can lead to further device compromise or possibly a spoofed login page to steal user credentials.
“Many websites do drive-by download, so mere presence on the site can start malicious software download,” says Rahul Telang, professor of information systems at Carnegie Mellon University’s Heinz College. “Mobile devices in general tend to be less secure than laptops or computers,” Telang says. “Since QR codes are used on mobile devices, [the] possibility of vulnerability is higher too.”
The easiest way to mitigate the risk of a QR code exploit would be to not scan QR codes at all. But then this would make having QR Codes irrelevant and also is inconvenient since most codes are a useful way of accessing information. Individual and organisations can take steps to mitigate the threats, some of which are using common sense.
► As Mosher says, “before scanning a code, especially one on printed material in a public place, make sure it hasn’t been pasted over with a different—and potentially malicious—code”. In fact, it’s best not to use QR codes that look to be altered in any way, Sherman says. Pay attention to the URL you’re being directed to.
► Treat the QR code like a suspicious link. Mosher says “It’s best to avoid URLs that differ from the legitimate URL of a company, especially if it redirects a user to a different site”. Most devices will provide you with a preview (see image) of the destination or reveal the destination link before clicking. If it doesn’t look or feel right, don’t scan!
► Be aware of the location where the code is posted. If it’s on a restaurant menu or a reputable, secure website, it’s probably (though not always) safe to scan. However, if you see the code on a poster that could have easily been printed and posted by a hacker. Do not scan a code sent or placed by someone you do not know or can’t verify.
► Many branded QR codes are customised and carefully designed. Be suspicious of generic black and white QR codes.
► As always, if you suspect you have fallen victim to a QR code hack, get your hold of your IT Support.