Malicious QR codes hide attacks in plain sight [Q&A]
With their ability to provide access to websites, enable mobile payments, and retrieve data, QR (quick-response) codes have become a ubiquitous part of our daily lives. In fact, In 2022, approximately 89 million smartphone users in the United States scanned a QR code on their mobile devices, a 26 percent increase compared to 2020.
However, cybercriminals are also using this trend to distribute malware, steal personal information, and conduct phishing attacks, which can then be leveraged to access your confidential corporate data. As consumers and even large enterprises continue to use QR codes as a means to streamline operations, it's important to be aware of the fast-growing attack surface that bad actors are jumping on.
We spoke to JT Keating, SVP of strategic initiatives at Zimperium, to learn more about QR code attacks and how people and businesses and defend against them.
BN: What are QR Codes?
JTK: QR codes, or quick response codes, have become predominant in recent years. QR codes were invented in the 1990's, initially being used to track vehicle parts during the manufacturing process. However, it wasn't until the pandemic that QR codes really gained their widespread popularity.
QR codes have found their way into various aspects of our lives, and are now widely used by a range of organizations, including manufacturers, restaurants, hotels, retailers, media outlets, and healthcare providers. QR codes offer an array of benefits including the ability to store a large volume of data, as well as offering the convenience and speed of data transmission. The adoption of these two-dimensional barcodes have helped businesses to boost sales, increase social engagement, and provide a more streamlined way to interact with their customers.
BN: How are QR codes being used by cybercriminals?
JTK: Every rose has its thorn, however. Malicious actors are constantly looking for new attack vectors, and with the growing popularity of QR codes for all manner of operations, cybercriminals have begun to weaponize QR codes to use them in phishing attacks. Like other kinds of phishing, QR phishing can be used in various ways and for various reasons. Depending on the specific desires and means that a bad actor or criminal organization possesses, QR phishing can be deployed via email, text message, or even on paper -- anywhere that they can entice users into scanning the code.
And even more so, QR code phishing attacks are easy to deploy and most importantly, effective. QR codes are able to mask the underlying destination URL, and have no built-in security features, so bad actors are able to easily bypass traditional phishing security controls.
For example, a major US energy organization was recently targeted in a QR phishing attack in which QR codes were used to bypass email security. The attackers targeted employees by sending Microsoft authentication emails with QR codes claiming that their account setting needed to be reset in no more than 2-3 days. The attackers used QR codes embedded in the attached QR code to bypass security tools that scan messages for unknown and malicious links.
BN: What are specific threats QR codes can pose?
JTK: There are three main attacks that bad actors are using QR codes for: Quishing, QRLJacking, and QR-code based malware attacks:
- Quishing: By sending QR codes via email or posted in public spaces, these links can direct and redirect users to a phishing site exposing login credentials, PII and financial details. These tactics often endeavor to instill some sense of urgency, such as notifying users that they are about to be locked out of an account or a payment was denied.
- QRL Jacking: Malicious actors can create a duplicate of a login QR code and have it link to a deceptive login page. They can also manipulate QR codes through techniques like dimming specific sections or subtly distorting square dots within the code. Through QRL jacking, malicious actors can redirect users to a fake login page, where they trick users into divulging credentials and other sensitive details.
- QR-Code-Based Malware: QR codes can also be a way for cybercriminals to spread malware and perpetrate attacks.
BN: Why are mobile phones and users particularly susceptible to attacks?
JTK: Mobile phones and users are particularly susceptible to phishing attacks, especially those involving QR codes. In fact, 80 percent of phishing sites target mobile devices. This is because most mobile devices lack the phishing and malware protections that laptops and desktop computers have. In addition, the devices' compact size make spotting malicious URLs or sites more difficult (i.e. shortened QR code links, harder to catch misspellings, etc.)
Consequently, this puts consumers and the enterprises they work for at risk -- If employee devices are compromised, corporate credentials and assets may be exposed.
As with the attack on the major energy company above, employees often make the mistake of assuming that their company devices have the security needed to guard against cyber attacks (i.e. "Our corporate email has security protection"). This might be true, but only to an extent. A lot of traditional email security products look for static things in an email that don’t scan attachments or understand QR codes.
BN: How can consumers and organizations best safeguard their assets and credentials against bad actors?
JTK: The reality is that attacks through malicious QR codes are here to stay. According to Hoxhunt, 22 percent of phishing attacks in October 2023 alone used QR codes. Cybercriminals will only continue to exploit the trust users have in QR codes, especially since it is nearly impossible to detect a compromised code.
Therefore, it is important for users to be cautious when it comes to QR codes and watch out for the small nuances -- spelling and grammar errors, typos in sender address or domain name, unsolicited password resets, being asked to resubmit credentials, etc. For mobile-first businesses especially, it is crucial for security teams to educate employees on the threats posed by malicious QR codes and to provide guidance on minimizing their exposure. It is vital to ensure employees minimize their use and, when possible, only use them in controlled, trusted environments.
Image credit: bloomua/depositphotos.com