Quick Response or QR codes are gaining popularity, particularly in New Zealand as businesses are required to display them for the Covid-19 tracer app and the need for touchless interactions with various items such as menus and advertising materials. They are often seen on billboards, posters, business cards, discount vouchers and event tickets.
Originally developed by the Japanese automotive industry, QR codes are a matrix barcode that can now be used through the camera app on most modern smartphones or a translator app. The code is scanned and interpreted and often redirects the user to the corresponding weblink or in the case of the Covid-19 tracer app, logs activities of the user. QR codes have unlimited lifespans and once generated can be reused indefinitely.
While these codes offer convenience and can be very effective for their intended activities, the rise in popularity for legitimate purposes has also sparked a rise in interest from malicious actors. There are instances where attackers have been known to paste counterfeit QR codes over the legitimate ones as a way to deploy phishing attacks by redirecting users to fraudulent websites in an effort to harvest credentials. They have also be used to deploy malware using a technique known as a “drive-by download” to gain control of a device, disrupt the normal user experience and services or to exfiltrate data.
In other cases, such as payments made using QR codes, the attacker does not need to alter the code at all but rather creates a layer between the code and the legitimate destination where they will sit in the middle of a financial transaction and capture payment information for example. These attacks are known as QRLjacking and can also be used to add phone numbers to your contact list, connect your device to a malicious network, send text messages to your saved contacts, send payments to unknown recipients, or make unauthorized, expensive phone calls or SMS messages.
Unisphere Solutions - Powered by Capacitate Group