QR Codes - Friend or Foe?

27 May

Quick Response or QR codes are gaining popularity, particularly in New Zealand as businesses are required to display them for the Covid-19 tracer app and the need for touchless interactions with various items such as menus and advertising materials. They are often seen on billboards, posters, business cards, discount vouchers and event tickets. 

Originally developed by the Japanese automotive industry, QR codes are a matrix barcode that can now be used through the camera app on most modern smartphones or a translator app. The code is scanned and interpreted and often redirects the user to the corresponding weblink or in the case of the Covid-19 tracer app, logs activities of the user. QR codes have unlimited lifespans and once generated can be reused indefinitely. 

While these codes offer convenience and can be very effective for their intended activities, the rise in popularity for legitimate purposes has also sparked a rise in interest from malicious actors. There are instances where attackers have been known to paste counterfeit QR codes over the legitimate ones as a way to deploy phishing attacks by redirecting users to fraudulent websites in an effort to harvest credentials. They have also be used to deploy malware using a technique known as a “drive-by download” to gain control of a device, disrupt the normal user experience and services or to exfiltrate data. 

In other cases, such as payments made using QR codes, the attacker does not need to alter the code at all but rather creates a layer between the code and the legitimate destination where they will sit in the middle of a financial transaction and capture payment information for example. These attacks are known as QRLjacking and can also be used to add phone numbers to your contact list, connect your device to a malicious network, send text messages to your saved contacts, send payments to unknown recipients, or make unauthorized, expensive phone calls or SMS messages. 

How to Protect Yourself Against QRLjacking

  • It can be difficult to distinguish between a legitimate QR code and a malicious one, but there are a number of ways you can protect yourself and prevent falling victim to these types of scams and attacks.
  • Before installing a QR scanner, check the reputation of the application and the developer and investigate the security features that are offered.

  • Ensure mobile devices are protected by up-to-date endpoint protection that can detect malicious software, unauthorized downloads, website redirections and known malicious sites.

  • Inspect the QR code to ensure it is not a sticker or other material placed over the original QR code.
  • Never scan QR codes found in random or public places or from unknown sources.

  • Check URLs that you have been directed to through QR codes are legitimate and don’t contain typos or unexpected text, numbers or symbols. A good indicator is the padlock present in the search bar of your browser to show the site is secured.

  • Don’t scan QR codes received via email unless you can verify with a trusted sender that they are legitimate. Check in with them using a means other than email.

  • After scanning a QR code, be wary of any site requesting login information or other personal details, or advertisements with special deals requesting payment information.

  • Avoid making financial transactions using QR codes.

Image sourced from Image by Xavier Turpain from Pixabay 

Unisphere Solutions - Powered by Capacitate Group

* The email will not be published on the website.