Quick Response (QR) codes are experiencing an increase in popularity as brands and shop owners move to offer a more flexible customer service experience during the COVID-19 pandemic. The codes provide a quick way to get to a website address or save other text-based information to a mobile device. (Read also: An Introduction to QR Codes.)
QR codes can be handy for saving keystrokes and eliminating typos. They make it easy to respond to marketing campaigns or gather more information about a product. However, QR codes can also be used for malicious activities.
Malicious QR codes are difficult to spot since their contents are obscured until scanned. A recent MobileIron survey found that nearly 63% of respondents were unable to distinguish between a safe and malicious QR code. Distinctions can be made only after the code is unscrambled by a QR code reader.
Understanding QR Code Attack Vectors
QR codes can do more than display a website address. They can also be used to initiate an action that costs money, such as making a phone call, or sending a payment. Below are some ways that malicious QR codes can be used to compromise devices, and steal information and money. (Read also: Could Your Smartphone Be Hacked?)
QR codes can be used to install software. The download and installation can happen in the background, without the user’s knowledge or permission. Difficult to remove, these sneaky malware apps stay out of sight by hiding their app icons.
Phishing is a common use for malicious QR codes. QR codes used for phishing take advantage of several factors to accomplish the scam. They take advantage of smaller mobile screen sizes to hide the full URL destination. The smaller screen allows scammers to show a legitimate-looking portion of a phishing website in the mobile browser.
Send a Text or Email
QR codes can be used to send a text or email message. Some scams may include sending messages to a premium rate phone number that generate income for attackers. Malicious or spam text messages can also be sent to the phone’s contacts. These messages are sent without the victim’s knowledge or consent.
QR codes can be used to enable location on your device which can reveal your location or steal information about your network and device. This information can be saved and sent to an attacker’s server at a later date. Other malware on the device can also take advantage of the location data.
Create Calendar Events
QR codes can be used to create calendar events in your phone’s calendar. Spam events like this can be an annoyance and may also contain malicious links or include social engineering content to urge victims to take an action.
Exploit QR Coder Reader Vulnerabilities
An attacker could gain control of all or parts of a phone's operating system, exploiting vulnerabilities through QR code reader software using a command injection or buffer overflow.
Protecting against Attack and Data Loss
Since malicious QR codes aren’t easily recognizable, it’s best to be cautious about using them. Below are a few ways to prevent accidental exposure of your information. (Read also: 5 Issues That the Mobile Device Industry Needs to Solve, Pronto.)
Don't Blindly Trust QR Codes
Consider the source and look for evidence of tampering. Printed codes can easily be covered with stickers. Be wary and check for a sticker overlay before scanning. Choose to scan codes provided by trusted resources only.
Don’t Share Personal or Payment Information
Consider the consequences of providing payment data to a malicious website. Phishing sites are designed to look like legitimate websites. Avoid sharing personally identifiable information, login credentials, or payment data.
Be Cautious of Shortened Links
Link shorteners are commonly used to disguise links to malicious websites. QR codes that lead to a shortened link should be avoided. It’s always best to avoid shortened links from unknown sources.
You can always choose not to scan. Go directly to the brand's website to locate information advertised with a QR code.
Screen QR Codes with a Security App
Consider using a QR code screening app from a trusted anti-virus scanner. QR screening tools check the destination of URLs and examine actions being requested by a scanned QR code. They can alert you to a potentially malicious code.
Avoid Third-party QR Code Scanning Apps
Avoid downloading a separate QR code reader because they could be malicious. Most modern mobile phones already contain an integrated QR code scanner. Phone cameras can scan barcodes and QR codes alike.
Keep Your Data and Device Safe from Malicious QR codes
QR codes can do so much more than simply display a website. QR codes have the potential to save time and help connect you to important services. They can be a convenient way to provide a touchless customer service experience.
It's important to remember that QR codes can also be used for malicious activities, too. Mobile malware is a growing concern as it becomes more invasive. One of the best ways to protect against compromise is to avoid risky activities that include scanning QR codes.
- Optical Delusions: A Study of Malicious QR Codes in the Wild. (2015).
- Mobile Iron QR Code Survey. (2020).