Scams with QR codes: a fresh spin on an old tactic

QR codes have become a common sight in our everyday lives. Mainly because of touchless communication the usage of QR codes in various places has expanded significantly, especially during pandemic time.

QR stands for “Quick Response.” A QR code is a sort of barcode that is easily readable by digital devices like smart phone/ tab that contains data as a sequence of pixels in a square-shaped grid. QR code become popular because of low production cost and the pre-installed scanners in the smart mobile devices. It can store a wide range of information, including website URLs, contact details, and up to 4,000 characters of text. Aside from financial transactions, QR codes are also used at restaurants to check the menu, download an app from Apple App Store or Google Play, connect WiFi, access to a website, even visiting cards often include QR Codes.

On the other hand, hackers and threat actors are becoming more interested because of these increased usages of QR Codes. They use it as an attack vector to perform malicious activity.
According to reports from ZDnet, Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns.  Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a “quishing” attack.[1]

 The following are the most often encountered security risks associated with QR codes:

1. Malicious URLs can be included in QR codes that are displayed in public places, making them infective to everyone who scans them. In certain cases, simply browsing the website may result in the installation of malware in the background. After that, the malware has the potential to do a great deal of damage to the device’s users. It might allow the spread of further malware or steal sensitive information. Even ransomware attacks might be a result of these malware outbreaks.
   
   
2.  A QR code may be used to save the URLs of a business’s website. Users’ devices will be forwarded to the specified websites after they scan the codes. Sometimes, organizations conduct surveys using QR codes to record questionnaire URLs and allowing people to respond to the questionnaires. A threat actor may alter a legitimate QR code with the one embedded with a phishing website. There are minor differences between these phishing sites and real websites, which gives the impression that they are legitimate to the victim. On the phishing website, unsuspecting victims may submit important information such as bank account passwords, credit-card data or personal information, which is then used to commit fraud. This method is also known as QPhishing.

• QR code payment is supported by the majority of mobile payment service providers. Many restaurants, shops may use QR code in common place to perform contact less payment. Threat actor may exchange a valid QR code with a fake one in such common areas, causing the transactions to flow into their bank account instead of the original one. Both the merchant and the user would suffer from financial loss.

• Text-based data may be stored in QR codes. It is possible that QR codes on boarding pass or conference id may include sensitive personal information, which increases the risk of Information leaking.

• Honeypots are a common tool used by threat actor. Threat actor may set up an insecure Wi-Fi network providing free Internet to anyone who scans their QR code. After connecting a device, hackers can listen in on or intercept the data being transferred and obtain personally identifying information, private company data, internet banking information, and credit card information. This data can be used for identity theft.

• There are many secure QR code scanning apps are available. An attacker may discover a vulnerability in a code reader program, which allows for the exploitation of cameras and/or sensors in smartphones or other devices.

The following measures can be implemented to minimize risks:

1. Pay attention when reading QR codes and avoid scanning codes from unknown sources. Disable the QR code scanner’s built-in URL redirection. Make sure scanner displays URL information and prompts you to confirm whether or not to access the link.

• It is the responsibility of merchants and customers to ensure that QR codes have not been tampered with or replaced with fake codes.

• Before making a payment with a QR code, ensure all of the information is correct in the app.

• Scan QR codes received in emails only if you are certain they are real.

• Organizations should avoid storing sensitive data in QR codes. Otherwise, data should be encrypted to prevent unauthorized access.

• Do not Install QR code reader from unknown sources. Also update reader regularly when new versions are available.   

• Protect mobile devices with reliable antivirus software. It may detect malicious links connected with QR codes and restrict user from high – risk websites and downloads.

• Do not scan a QR code if it is printed on a label and applied atop another QR code. Verify its authenticity first with a staff member.

There has been a significant spike in the use of QR codes, which has made payments and access to useful material on our phones faster. So, it is important to Keep an eye out for any suspicious activity while using QR codes.

[1] https://www.zdnet.com/article/these-phishing-emails-use-qr-codes-to-bypass-defences-and-steal-microsoft-365-usernames-and-passwords/