As QR codes have become ubiquitous, their proliferation has given rise to new and emerging security risks.
More than 80% of US-based QR code users said that they think QR codes are safe, but only 37% of users could identify a malicious one, according to a recent report from Scantrust.
Fueled by such trust and by the widespread adoption of QR codes during the COVID-19 pandemic, QRishing (a fusion of “QR” and “phishing”) involves crafting counterfeit QR codes that lead unsuspecting users to malicious websites, where sensitive information is sought and exploited by cybercriminals. This threat has thrived due to social engineering tactics — leveraging user trust, the ubiquity of QR code scanning, and the challenge of distinguishing genuine codes from fraudulent ones.
QRishing takes various forms, from affixing fake QR stickers over legitimate codes in commercial establishments to counterfeiting traffic fines with deceptive QR codes that harvest payment details or sensitive data. The scam also includes “reverse QR,” where cybercriminals trick users into making unauthorized payments or sharing data via manipulated QR codes.
The success of QRishing hinges on exploiting user trust and the allure of fake discounts. Victims often get tricked into sharing malicious QR codes with their contacts, multiplying the risk.
Meanwhile, “QRLjacking” poses a rising threat, targeting services that rely on QR codes for logins, such as WhatsApp, to gain unauthorized access and access sensitive information.
QR Scams Have Global Impact
Raquel Puebla, cyber intelligence analyst at Entelgy Innotec Security, explains that QR attacks are executed all over the world. To start, she points to a recent campaign in China in which attackers added fraudulent QR codes parking tickets left under windshield wipers.
These codes claimed to facilitate payment of the violation, when in fact they were collecting personal and banking information from the victims.
“In Germany, investigators were able to identify a campaign in which, through fraudulent emails containing QR codes, attackers contacted online banking customers and obtained sensitive information,” she says.
She adds a campaign recently affected the public transport services BiciMAD and Bicing in Madrid, Spain, in which fraudulent QR codes were attached to the bicycles of these services.
“They appeared to constitute a service of unlocking the bicycle in exchange for a certain monetary amount,” she says. “Instead of unlocking the transport, the money passed into the hands of cybercriminals.”
Mobile Phones Are Less Protected
Patrick Harr, CEO at SlashNext, points out that QR codes are a convenient way to spread mobile-based phishing campaigns, and that many mobile phones do not have phishing protection.
“Many companies that offer QR code and short code creation have security to prevent hackers from using their service to create malicious QR codes,” he says. “However, there are still many services that hackers can use, so it’s important to have mobile protection against malicious links.”
He adds that mobile phones provide bad actors with access to corporate accounts, banking information, and other personal data.
Georgia Weidman, security architect at Zimperium, says that — in addition to sending users to websites that phish their credentials, attack their device with client-side exploits, or entice them to download malicious apps — techniques such as QRLJacking allow attackers to perform account hijacking for apps that use a QR code for login.
“There are many legitimate uses for QR codes — in fact, many MFA apps use them for setup, and we all know the value MFA lends to keeping our accounts secure,” she says. “However, there is no message authentication code or otherwise in QR codes to verify that an attacker hasn’t replaced your organization’s QR code with a malicious one.”
“It’s important for organizations to have mobile protection against malicious links, because given the proliferation of QR codes in our daily life, it’s becoming impractical to avoid them completely,” Harr says.
Train People to Parry QR Attacks
Itxaso Reboleiro, cyber intelligence analyst at Entelgy Innotec Security, says awareness is always the starting point to fend off a cyberattack that uses social engineering tactics.
“Companies should establish small training sessions and bulletins in which employees are kept abreast of the latest developments in cyberthreats,” she says.
In the case of QRishing, organizations should advise employees not to scan QR codes pasted into emails of dubious origin or posted in random places, such as public roads, as cybercriminals take advantage of busy places to capture a greater number of victims.
QR readers can show users the URL of a website before taking them there, Reboleiro explains. “In this way, employees can be sure of the content hosted by the redirect before accessing the content or entering sensitive information,” she says. She adds that users should immediately close the website if, after scanning a QR code, they notice that the pages displayed appear to be unrelated to the expected content, and that they should not enter personal data or credentials into such sites even if requested.
“Employees should promptly notify their managers or the company’s cybersecurity staff to take appropriate security measures,” she says.
From Weidman’s perspective, the best plan is to train employees on the security implications of QR codes, so they are using their security awareness thinking cap while interacting with them in the wild. For example, the Open Web Application Security Project (OWASP) includes technical details on how QRLJacking works and ways to mitigate the risks of QRL code attacks in apps.
“If your organization uses QR codes for authentication, it is important to be aware of the kinds of attacks that attackers are using and to implement mitigation strategies for them,” Weidman says.